SLUG Mailing List Archives
Re: [SLUG] safe(ish) single-login from website
- To: SLUG <slug@xxxxxxxxxxx>
- Subject: Re: [SLUG] safe(ish) single-login from website
- From: Rob Sharp <rob.sharp@xxxxxxxxx>
- Date: Tue, 15 Feb 2005 16:55:26 +1100
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=orBOQJ8ab6BCwPQW6iM35GQY0P5kMFOHB9d0xIVVYDt7pxZMDTjeA7GvBMHHPwSmR3npN7DIBFUUW/qGZxI54B/5RiAXQD86JVoUQ43eAUMPkcOx31TQ4PWIoRDSwlfTy9LNhVWKcarheFUdpemo6ZWOCgSj1V7kmEi826esQss=
- Reply-to: rob@xxxxxxxxxxx
I'm guessing that you use PHP, and if you are, then the CURL library
is your friend...
You should be able to authenticate to the remote site and 'proxy' the
pages to the users browser by echoing the server response to the
browser... You could then rewrite their links to use your 'proxy'.
Hope that points you in the right direction.
On Tue, 15 Feb 2005 16:41:23 +1100, Taryn East <slug@xxxxxxxxxxxxx> wrote:
> I've been given the task of doing a single-login and am having trouble
> finding out how to do it...
> the issue is that our business allows some of our website to be viewable
> through the website of some of our "channel partners". These channel
> partners have a login to our website to allow them to do this.
> However, the channel partners have customers that only have a login to
> the channel-partner websites... and the channel partners don't want to
> directly give them the login to our site, but do want the pages
> displayed (generally using yucky frames... but hey).
> ok, now they aparrently used to do this by having a url with the
> username/password in it (ie using "basic" http authentication with the
> login details as parameters).
> Firstly this is unsafe and secndly - microsoft (in a rare moment where
> their interests align with ours) has turned this feature off in IE (to
> stop address-bar spoofing).
> I need some sort of alternative method of doing this, however all the
> 'help" files on this issue seem to just say: let the users get the
> prompt and login...
> the problem with this being that the user does not have the login
> details and will not be given them - ie this is not a solution for me
> Now when this issue first came up I got all enthusiastic and went
> wandring through the web and found that you can send the details in an
> http header etc etc... however I seem to have hit a brick wall in that I
> don't see how to actually send that.
> There is a hell of a lot on the web on autologin functions from the
> recipient side fo things (ie the one receiving the login details) but we
> need some code to hand to our channel partners that can run on their
> server to send the login details to us... something that can be
> activated through a normal webpage that will not bug the user for
> I trawled through the HTTP specs and the PHP pages looking for anything
> that might help, but I readily admit that I'm doing a random search - I
> don't really know where to go look for this stuff.
> Does anyone here have any ideas? Even just some general direction on a
> good place to go looking?
> Cheers and thanks in advance,
> This .sig temporarily out-of-order.
> We apologise for any inconvenience
> - The Management
> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html