RE: [Phplib-users] Basic authentication
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] Basic authentication
|
From: Brian P. <bp...@ct...> - 2002-02-13 17:00:42
|
I would go ahead and have them encrypt the username and password somehow before posting it. SSL should protect it from being intercepted, but you never know when you might want to use this same signon process somewhere else, in a non SSL environment. If you go ahead and expect encrypted data, you won't have to have two separate check's in your preauth, one for encrypted, one for not. An MD5 of the password and an agreed upon token would probably be adequate. This is purely hypothetical, but something similar should work I think (?) : Remote partner generates: $password = url_encode ( md5 ( $password . "magicword" ) ); and then links to: "http://www.yourphplibsite.com?username=$username&pw=$password" Then in YOUR auth_preauth() you'd have something like: global $username, $pw; $sql = "SELECT * FROM auth_user WHERE username='$username'"; $db->query ( $sql ); if ( $db->next_record() ) { $dbuid = $db->f ( "user_id" ); $dbpassword = $db->f ( "password" ); $pw = url_decode ( $pw ); if ( $pw == md5 ( $dbpassword . "magicword" ) ) { return $dbuid; } } return 0; -----Original Message----- From: Chris Johnson [mailto:ch...@ch...] Sent: Tuesday, February 12, 2002 8:44 PM To: php...@li... Subject: Re: [Phplib-users] Basic authentication So, revisiting this issue a bit further: If my "single signon" business partner who wants to send their users to my secure site running PHPLIB without forcing their users to log in again did the following, would that be sufficient? They have proposed that they create a form on their page such that when the submit button is clicked, they will POST the data to me and pass the username and password. Since both sites are SSL (HTTPS) encrypted, the POST'ed data should be secure. I should then just be able to do an automated, behind the scenes login using their name and password, right? It seems too simple! I'm always sceptical when it seems that easy. Anyone see any flaws in this? Thanks, ..chris _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
