homepage Welcome to WebmasterWorld Guest from 54.234.180.187
register, login, search, subscribe, help, library, PubCon, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library : Charter : Moderators: coopster & eelixduppy & jatar k

PHP Server Side Scripting Forum

    
Logged into another site - hitting link to mine
securely passing credentials.
Beagle423




msg:3360483		 8:51 pm on Jun 6, 2007 (gmt 0)

I have a client that wants to provide their members a link to my site such that they can log into original site, and then hit the link to my site, but somehow securely let me know who they are.

Is this best done by having the link to my site be a post from the original site and passing a $_POST variable?

They want the login credentials to be transparent to the end user.

Or does anyone have examples of a better way to do this?

M. Wold

 

bysonary




msg:3360502		 9:08 pm on Jun 6, 2007 (gmt 0)

not sure if this would work but why not use a session variable? or use the url, although using the url and $_GET won't be as secure as perhaps you might like.
yumigator




msg:3360517		 9:25 pm on Jun 6, 2007 (gmt 0)

I agree that session variables would work best.

You could also write two functions, one on your client's site to encrypt the variables, and on on your site to decrypt the variables so you can read them. This way, you could use get and it would be pretty secure (someone could always study many links and eventually figure out your encryption algorithm).

I'd recommend session variables over the other method; they are in general more secure. You shouldn't use post because (to my knowledge) browsers require either a form or javascript to use post.

cameraman




msg:3360607		 11:42 pm on Jun 6, 2007 (gmt 0)

Welcome to WebmasterWorld, Beagle423!

I believe that session variables reside on a server, so their session variables wouldn't be visible to your site.

I would recommend their login process send a [changing] validation key along with an identifier (the user's signin name or an id number) to your site via curl [php.net]. Your site would store the info in a database table. Their link would send the key as part of the url (yoursite.com?link=2112), then you look it up to see if it's "registered" and who it is. If you also store the time that it was curled to you, you could implement a timeout - for example, if someone asks for a key that was indeed valid but was submitted 2+ hours ago, you delete it and make the visitor log in or send him/her back to the client's login page.

Habtom




msg:3360795		 4:50 am on Jun 7, 2007 (gmt 0)

Cookies.

Google it [google.com],you will get sample codes.

Habtom

barns101




msg:3360995		 12:01 pm on Jun 7, 2007 (gmt 0)

I don't believe that a cookie set by the first site is readable by the second site.
Habtom




msg:3361007		 12:15 pm on Jun 7, 2007 (gmt 0)

Less secure but possible, read this [support.softartisans.com].

Habtom

<added>Oops that was for ASP, I still believe you can find something for PHP as well.

[edited by: Habtom at 12:16 pm (utc) on June 7, 2007]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
WebmasterWorld ® and PubCon ® are a Registered Trademarks of Pubcon Inc.
© Pubcon Inc. 1996-2012 all rights reserved