distributed authentication

mark_kccs

Does anyone know of a way to sign in to one website and get redirect to another using the same credentials to log in to the other site? I believe that this will happen on 2 different severs if that matters.

Any pointers will be much appreciated.

Thanks

Jack_McSlay

you can make a form on your site which executes the action on the other site. but that's only assuming the other site allows form data from other locations.

example:

<form action="http://www.someothersite.com/login.php">

mark_kccs

Thanks for the reply.

I have been told that I may be able to achieve this with an htpasswd and htaccess file? Not sure how to go about this though. I need the client to be able to sign in to his account on one web site and follow a link to another site, which requires a login, and have the client logged in from his credentials of the other site. Hope that makes sense. Any ideas very welcomed.

Thanks

Jack_McSlay

here's a simple example of a .htaccess to allow from specific domains: http://www.usask.ca/its/courses/cai/htaccess/domain_example.html

on the proggramming side, I'd suggest you hold on the second site a script specific for external login, doesn't need any sort of visual interface, just to process the received POST data, authenticate then make an invisible form that submits itself via javascript, along the lines of:

<form action="http://www.site-that-will-receive-info.com/">
<input type="hidden" name="somedata" value="datavalue">
...
</form>
<script type="text/javascript">
document.getElementsByTagName('form')[0].submit();
</script>

mark_kccs

Thanks again.

I did think about using am md5 hash passed through the post data but my worry was the fact that this my be a vunerability?

Jack_McSlay

actually, hashing data usually protects from vulnerabilities by not putting transfering plain data.

in that case, I'd suggest you hash the password on the authentication server twice, and have the password sent by hashing only once. this allows to send encrypted passwords and still avoid storing on the database data that can be used by hackers to log in with the users' accounts.
Additionally, I'd recommend making up a list of trusted clients, and If possible, put the authentication script on https