tags:

views:

66

answers:

4
+3  Q: 

Securely Transferring Users Between Web Sites

Here's the scenario:

  • You have two seperate websites that exist in different environments (I.E. different databases, different web servers/domains)
  • You have full control over the code for both sites, but from the above point, they can not directly communicate with each other's database
  • You must transfer user from site A to site B securely

What is the best way to implement this? Simply sending the user identifier between the sites via query string wouldn't be secure, even if encrypted, since someone else could obtain the URL. It seems like the standard solution is to pass the user identifier along with another temporary key that web site A created, and web site B knows about. If this is the case, what's the proper way of securely setting up the system with the temporary key?

Thanks!

+2  A: 

I am doing something like this. The best thing I can think of right now is passing a HASH of the user ID, or if that makes you worry, the hash of some other user data.

If yuo want temporary keys(I might do something like this too), how about setting up a web service on A that B can call to to get the user ID based on the temporary key. This way it's a totally separate call, and can be secured.

Neil N  2009-12-08 17:12:39
+2  A: 

Take a look at "Pass-through Authentication," its a concept that allows a user's identity to be passed from one system to another.

Additionally, another idea that you may want to try is to create a secure token that does not expose the user's information and pass it on. However, this requires both systems to have similar data to verify the token. As the other answer suggested, hashes are very good uses to create non-descriptive bits about sensitive information.

monksy  2009-12-08 17:13:10
A: 

You need to pass information between Site A and Site B, but you don't need to make the user the conduit for that information.

Site B could have a web-service that allows Site A to create a session for the user. In this design the interaction would go as follows:

  • User clicks button on Site A
  • Site A calls web-service on Site B which passes a temporary login URL back to Site A
  • Site A redirects user to the temporary URL on Site B
ctford  2009-12-08 17:36:14
+1  A: 

Write a web-service call over HTTPS, at both ends, to retrieve the users details, and that only works for a specific login-pair. Problem solved. You need to make the login-id's at both ends uniform or use single sign on cookies. More details in the paper by Vipin Samar: "Single Sign on Cookies for Web Applications".

They can't get the URL/Passwords unless they go into the application code at one of the servers.

Hassan Syed  2009-12-08 17:50:36

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security