SLUG Mailing List Archives
Re: [SLUG] safe(ish) single-login from website
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] safe(ish) single-login from website
- From: amos@xxxxxxxxxxxxxxxxxx
- Date: Tue, 15 Feb 2005 17:48:19 +1100
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=Fjr+h/Ip3Obwavu0J6aGsSZDajY+eDkuF/EoNiTtNIrbWwLAqCsLqn22q5/3ZPePPG2BiQmSFZU5Kdlk6yRK57X7RCCs8cBrgyA5OViQbpsAKpZaabtlkuBBjuv/dBbsifZW3BBpAnCR59OUa+FwpDxV/F9GvfQ5wAv8kpAp+iE=
Sounds like just what WebCollage (http://www.webcollage.com) do.
Basically what their product does is to translate the "syndicated" site
in order to contain the syndicated (and possibly customized) parts
of your site into their. The user don't see any of this and keeps seeing
the URL from the partner.
Lots of HTML and HTTP wizardry goes into this, including support for
single-sign-on and session tracking, among other stuff.
You might learn more from the "Interactive Web Services" paper in
Disclosure: I have stocks in the company (but I don't work for them).
On Tue, 15 Feb 2005 16:41:23 +1100, Taryn East
> I've been given the task of doing a single-login and am having trouble
> finding out how to do it...
> the issue is that our business allows some of our website to be viewable
> through the website of some of our "channel partners". These channel
> partners have a login to our website to allow them to do this.
> However, the channel partners have customers that only have a login to
> the channel-partner websites... and the channel partners don't want to
> directly give them the login to our site, but do want the pages
> displayed (generally using yucky frames... but hey).
> ok, now they aparrently used to do this by having a url with the
> username/password in it (ie using "basic" http authentication with the
> login details as parameters).
> Firstly this is unsafe and secndly - microsoft (in a rare moment where
> their interests align with ours) has turned this feature off in IE (to
> stop address-bar spoofing).
> I need some sort of alternative method of doing this, however all the
> 'help" files on this issue seem to just say: let the users get the
> prompt and login...
> the problem with this being that the user does not have the login
> details and will not be given them - ie this is not a solution for me
> Now when this issue first came up I got all enthusiastic and went
> wandring through the web and found that you can send the details in an
> http header etc etc... however I seem to have hit a brick wall in that I
> don't see how to actually send that.
> There is a hell of a lot on the web on autologin functions from the
> recipient side fo things (ie the one receiving the login details) but we
> need some code to hand to our channel partners that can run on their
> server to send the login details to us... something that can be
> activated through a normal webpage that will not bug the user for
> I trawled through the HTTP specs and the PHP pages looking for anything
> that might help, but I readily admit that I'm doing a random search - I
> don't really know where to go look for this stuff.
> Does anyone here have any ideas? Even just some general direction on a
> good place to go looking?
> Cheers and thanks in advance,