Re: How to Auto Login from Remote Site?
Re: How to Auto Login from Remote Site?
- Subject: Re: How to Auto Login from Remote Site?
- From: "Arturo Perez" <email@hidden>
- Date: Thu, 06 Jan 2005 16:20:58 -0500
Kieran Kelleher wrote:
1) I will create no password accounts on our website with userids
corresponding to the customer's own website.
2) The customer site will redirect its logged in users to a Direct
Action in my WO app using a secure request with form value key pairs
that they generate based on my spec. The request will be authenticated
using the following criteria for the request:
Make sure that the above happens with a POST not a GET. GET URLs are
logged all over the place.
It must be a secure https request
It must originate from the customer's IP address
IP addresses can be spoofed. Can you do something like give the remote
site a cookie to include on the request? You'd generate something
secure to go into the cookie, of course. Ideally, you'd also use that
secure token to encrypt the master password.
It must contain a valid userid
The request must contain a master passphrase for the customer
I would encrypt the above.
Failure of any of these criteria will result in logging the reason it
failed and a Page Not Found error (I don't want to give away details why
the request failed)
Does this sound like a sound secure approach, is there a better design
pattern or am I reinventing the wheel?
Cross domain authentication can be tricky. You may want to create an
attack tree. Then, depending on your security requirements, verify that
you've nailed down everything adequately.
HTH,
arturo
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden