SLUG Mailing List Archives - [SLUG] Re: safe(ish) single-login from website

To: slug@xxxxxxxxxxx
Subject: [SLUG] Re: safe(ish) single-login from website
From: Matthew Palmer <mpalmer@xxxxxxxxxxx>
Date: Tue, 15 Feb 2005 17:07:28 +1100
User-agent: Mutt/1.5.6+20040907i

On Tue, Feb 15, 2005 at 04:41:23PM +1100, Taryn East wrote:
> I've been given the task of doing a single-login and am having trouble
> finding out how to do it...
> 
> the issue is that our business allows some of our website to be viewable
> through the website of some of our "channel partners". These channel
> partners have a login to our website to allow them to do this.
> 
> However, the channel partners have customers that only have a login to
> the channel-partner websites... and the channel partners don't want to
> directly give them the login to our site, but do want the pages
> displayed (generally using yucky frames... but hey).

There's lots of things that can be done with cookies:

The bog-basic way -- have the channel partner set a cookie for your site
containing info on them.  Maybe base64 encode it to keep out the casual
poker.

The hyper-secure option -- Provide each of your channel partners with the
public portion of an asymmetric key, with which they encrypt the contents of
the cookie, typically a unique ID of some sort, of perhaps other useful
info.  Your site then decrypts the cookie with the private portion of the
key, and (assuming everything matches) grants appropriate access.  Use
asymmetric rather than symmetric so that insecurity at the other sites won't
screw *you* over, and use a different key pair for each channel partner so
that you can prove which partner provided the referral.

The WS option -- Have the channel partner generate a unique ID and send it
to your site via some sort of basic SOAP interface, and hand the same ID (or
derivative) to the user in a cookie set for your site.

Alternately, the channel partners could have individual portal pages which
they point their users to, which you then set cookies or whatever to
identify the visitor and they get redirected to the right place.

> ok, now they aparrently used to do this by having a url with the
> username/password in it (ie using "basic" http authentication with the
> login details as parameters).

Eeeeeeew.  Why bother even *having* logins if they're going to send them to
anyone that asks for them?

> There is a hell of a lot on the web on autologin functions from the
> recipient side fo things (ie the one receiving the login details) but we
> need some code to hand to our channel partners that can run on their
> server to send the login details to us... something that can be

Details of the partners' sites?  If you're going to write it for them,
unless they're all using the same environment and roughly the same websites,
you're not going to be able to send them a one-size-fits-all bit of code.

- Matt

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: [SLUG] Re: safe(ish) single-login from website
  - From: Taryn East

References:
- [SLUG] safe(ish) single-login from website
  - From: Taryn East

Messages sorted by: [ date | thread ]
Prev by Date: Re: [SLUG] safe(ish) single-login from website
Next by Date: Re: [SLUG] FYI: Campaign of Mis-Information
Previous by thread: Re: [SLUG] safe(ish) single-login from website
Next by thread: Re: [SLUG] Re: safe(ish) single-login from website