Re: [Phplib-users] Basic authentication
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Basic authentication
|
From: Chris J. <ch...@ch...> - 2002-02-13 22:04:07
|
Maybe what I'm doing is not clear enough. I work for the Acme Company. We have an SSL-encrypted website that uses PHPLIB Auth authentication to provide some services to our clients. The Bravo Company also has an SSL-encrypted website for their customers. Many of the Bravo customers might want to use the Acme services. So my company, Acme, has struck a business deal with Bravo, to provide access to our services. However, Bravo wants their users to only have to login once -- that is log into the Bravo website. Somewhere inside the Bravo website, they want to put a link to our (Acme) website. They want their users to be able to click on that link and end up in our website, without first having to type a username and password as our current customers do. That is, Bravo customers are "pre-authorized" by virtue of coming from Bravo and having signed in there first. We, at Acme, will of course have a list of those usernames and passwords from Bravo for the Bravo customers who want to access Acme. I'm looking for a way to securely identify them. I can think of all kinds of complicated ways to do it. But it seems like a simple SSL form might be all that's needed. That is to say, on the Bravo web page, Bravo simply adds a link like this: <FORM METHOD=post ACTION="https://securesite.acme.com/bravopreauth.php" > <INPUT TYPE="hidden" NAME="username" value="BRAVO-USERNAME"> <INPUT TYPE="hidden" NAME="password" value="BRAVO-PASSWORD"> <INPUT TYPE=submit VALUE="Enter Acme"> </FORM> This has many advantages, _IF_ it is secure enough. 1) Minimal programming on my part for the Acme Pre-Auth. 2) VERY minimal HTML changes on the part of Bravo for the Post FORM. 3) Bravo does not use PHP. Bravo may, in fact, have next to no technical resources to do this work, thus the easier for them, the better. One-time tokens for encryption, as suggested later by Layne Weathers might just break the "tech effort" bank. I'm not worried about future applications NOT using SSL. Everything we do is encrypted (it's health care data). I can ASSUME that if I get a value username and password, I can give them access, IF this scheme prevents anyone from eavesdropping and gathering username/password pairs. If Bravo or a Bravo customer screws up and lets an unauthorized person have access to a username/password (e.g. by leaving themselves logged in, or other means), then it's not my or Acme's problem. As far as we know, the user is authorized. I'm still trying to poke holes in this because it seems too simple. But on the other hand, it appears all data is being sent SSL-encrypted, so it is as safe as SSL, which should be good enough for this application. (we don't make nuclear bombs :-) Make sense? ..chris ----- Original Message ----- From: "Peter Kursawe" <su...@si...> To: <php...@li...> Sent: Wednesday, February 13, 2002 2:38 AM Subject: Re: [Phplib-users] Basic authentication Hello Chris, > They have proposed that they create a form on their page such that when the > submit button is clicked, they will POST the data to me and pass the > username and password. I don't understand how they will do that. Do you/they mean it like that: 1. user gets a loginform and enters username and password, press submit ("validate me!"). 2. the login server must process the login 3. the login server validates login and shows a new form to the user with his/her username and password in hidden fields and a new submit button ("go to the application!") 4. user presses the submit button and comes to your server This is possible to implement. And it is secure as long as you trust in the users. Because in this setting the user can fake the login server in building a form like that in 3. without having logged in really. Or --- do you/they mean like that: 1. and 2. (as above) 3. login server validates login and sends username and password directly to your server via POST???? I don't know how to perform that. It may be possible, but I don't know how. Peter Kursawe _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
