NYCPHP Meetup

[Hans Zaunere]

Mark Armendariz wrote:

> Anyone here ever create a cross-domain login system?  I'm still waiting 
> for details to see if the domains will have access to the same db or 
> same server.  I figure one way to do it would be to somehow transfer 
> session info form one domain to the other, but it seems like there's 
> plenty of security issues in doing so.  I thought maybe passing an md5 
> encrypted string with the username, password form one site to the next 
> might work as well, but I'm still not too sure of the security issues, 
> especially considering the issues pointed out a couple weeks back 
> regarding auto-logins.

In addition to passing some type of key (for instance an md5), you can fingerprint the browser.  If a shared DB is available, you could store the browser's request header and then compare it to what the browser requests on the second server (domain).  This adds a bit of security.

I once had to do a cross-site login thing between a cold fusion server and a PHP server.  They didn't share a DB, and I had very little control over the CF site.  What I finally did was implement a call-ahead to the php site.

1)  User logs into CF and is directed to a protected page.
2)  Within this protected page is a <cfhttp> tag that makes a request to a private URL on the php server.
3)  The php server records the unique key, and could store other info, like a browser fingerprint.
4)  When the user clicks a link with the unique key to get to the PHP server, the PHP box is already aware that this person is coming.

While I'm still passing a unique key via a get, the call-ahead provides some added security, especially when the systems don't share a DB.

H