tags:

views:

168

answers:

5
+2  Q: 

Pass user data between web applications on different servers.

We have two different web applications with different servers, stacks, etc. Let’s call one the Host at host.example.com, and the other the Client at client.example.com.

We want our users to log in to Host, and pass their credentials and some other information (real name, email address, DOB, etc) to Client. What is the best way of doing this? The user accesses Client from a Javascript request when viewing a page on Host.

Criteria:

  • The most important criterion is that the changes to Host should be as simple and easy as possible.
  • We cannot redirect the user (though their JS requests are fair game)
  • The Host must be platform agnostic. The Client is Django on App Engine, but that doesnt really matter I think.

Two options we've thought of:

  • an API on Client for Host to pass the data. Roughly, on login, the Host fetches login/ on Client, and passes the session ID, along with the data.

  • Storing the data is a signed or encrypted cookie. Judging from recent discussions about signed cookies in Django, this looks hard to get right.

A: 

It's kind of sketchy, but you could perform a redirect to a page on the Client with the relevant data included as a GET variable. If you do this, you should probably encode/encrypt the data. The Client would pick up the data, set relevant Session information, and continue on it's way.

Michael Bray  2010-01-07 18:18:26
Yeah, but we really dont want to redirect. I updated the question accordingly.
Paul Biggar  2010-01-07 18:23:22
Then how is the browser ending up on client??
Michael Bray  2010-01-07 18:24:53
Via a javascript request. So we can redirect the request, but not the user's attention.
Paul Biggar  2010-01-07 18:32:20
So the clients entire interaction is going to run thru your host server to the client server... as if the host was a proxy?? maybe i'm just not understanding, but if this is the case, then I'm not sure I can be of much help.
Michael Bray  2010-01-07 22:17:57
No. We view a page on the Host. The host page contains a javascript call to the Client, whose result is displayed on the page.
Paul Biggar  2010-01-08 07:16:54
A: 

Perhaps through sharing session state? Here's an example that uses the default SQL Server session provider and tweaking the GetTempAppId sproc to give the same value therefore making storing and retrieving seem as if its from a single app.

statenjason  2010-01-07 18:53:08
A: 

There's no simple way to do a good job of this. There are many ways to do it, but none are simple and secure at the same time. You might consider cgi/fastcgi/web service technologies on the host.

Jay  2010-01-07 19:02:44
A: 

I think the best option is the first:

an API on Client for Host to pass the data. Roughly, on login, the Host fetches login/ on Client, and passes the session ID, along with the data.

Perhaps you could use OAUTH to authenticate the requests. There is an open source implementation for App Engine from google and another one here.

jbochi  2010-01-09 10:34:55
A: 

You also could use a hybrid of these solutions. If the login generated a hashed/timed SessionID and stored it in a small session db along with the IP/userid, you could store this data in a domain level cookie and pass it right along. The client would then validate the sessionid/timestamp/ip/etc against the db the first time to verify immediate authentication and then proceed on its merry way handling the user and session however it expects to handle it. If you kept the timestamp expectation to something fairly short (10 seconds?), it could be used and consumed, and then a database cron job could be used to prune errant or un-consumed entries.

Joel Etherton  2010-01-14 18:30:21
I dont see any advantages over the first option.
Paul Biggar  2010-01-14 19:40:07
It would depend on the architecture and how updates are applied. One's a connected architecture, the other disconnected. I don't see either being better than the other, it would just be a matter of preference. I kinda got the impression they looked at the API with a "we don't really want to do that" mentality so I suggested something different.
Joel Etherton  2010-01-14 20:01:56

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?