views:

337

answers:

2

I have a web based application that allows a user to point their DNS at my IP and my app will serve up their content based on the domain name I see in the HTTP host header. I should point out this is done by the application, not by the actual HTTP server(apache), it is a rebranded app sort of thing. The problem I have is that I would like the users to be able to login through a form on the served page and somehow stay within the domain of the user. This is easy, unless you want security. I would have to have a SSL cert installed for every domain to pull this off. Right now I can do it by submitting the form to a domain with an SSL cert installed, but due to browser security I can't exactly set the required cookies on the original domain.

Does anyone know a way I can securely log in users through the app that does not involve installing a lot of ssl certs. I can think of some convoluted ways using redirects or other mechanisms, but it is not that clean. I don't mind a submit to the secure url and a redirect, it's just setting the cookie can't be done.

+1  A: 

A common trick is to pass data in the URL. Facebook Connect does this. You can redirect from one domain to the other with a session token in the URL and then verify the token (perhaps convert to a cookie) when the request comes in on the other domain. Edit: the MSDN article that Facebook links to has much more detail.

Chris Boyle
+1  A: 

I've done this before using the following method...

Create auth key on server 1.

create_auth_key
    expires = time + expire_time
    data = username + '|' + password + expires
    secret = 'my secret key'
    hash = md5( data + secret )
    key = base64( data ) + hash

On server two you pass the newly created authkey

valid_auth_key(key)
    hash = key[-hash_size:]
    b64data = key[:-hash_size]
    data = base64decode( b64data )
    data_hash = md5( data + secret )
    if data_hash != hash:
        return false # invalid hash
    data_parts = data.split('|')
    user = data_parts[0]
    password = data_parts[1]
    expires = data_parts[2]
    if now > expires: 
        return false  # url expired
    return true

It's kind of quick and dirty but only relies on simple data passed via URL. The down side is that a specific url is all that's required to login and someone could share that url for a period of time. You also have to make sure your expiration time is not greater than the time difference between servers.

Great Turtle