tags:

views:

52

answers:

5
Q: 

How should my main web application (A) securely retrieve data from my content storage web application (B)?

I have two web applications (A) and (B).

(A) is my primary web application.

(B) is purely for content storage, such as file uploads by users of (A).

What's best way to securely retrieve data from (B) into (A) but in a way that does not expose the data in (B) to potential discovery by third-parties over the public internet or nosy users of (A)?

For example, if I use a HTML form POST from (A) to (B) to retrieve user data, and have a hidden form field called user_id=1, then someone could simply change this to user_id=2 and see the content owned by another user of the application. That would be a problem.

A: 

if you have a proper database in the back somewhere, you can use that to validate the access privilege of the requesting user (also depends on the type of connection pool you are using i suppose).

randy  2010-04-04 19:32:45
The user database only exists in (A) so it can't be used by (B) to validate access privileges to the data in (B).
fonacule  2010-04-04 19:39:52
A: 

I believe You are mixing conceptes. Access to data is one thing, and url's that give user that access is another. You have to describe problem further, we don't even know if those applications use database.

smentek  2010-04-04 19:40:37
+1  A: 

You should maybe consider basic authentication (username/password) for authenticating users. System (A) will then use a username and password to authentication itself with system (B).

To secure the username and password (which are part of the HTTP request), use HTTPS. Otherwise this data will be sent in clear text.

Eric Eijkelenboom  2010-04-04 19:41:00
Shame nobody voted this answer up!
Henri  2010-04-06 21:19:44
Exactly my thought ;)
Eric Eijkelenboom  2010-04-07 05:49:50
A: 

Why?

Why do you have two applications like this?

Toby Hede  2010-04-05 00:13:47
Having two applications like this allows the stored data to be used by more than one "approved" application.
Apie  2010-04-06 05:25:20
A: 

You could use Oauth http://oauth.net/

http://apiwiki.twitter.com/OAuth-FAQ

http://oauth.rubyforge.org/

Apie  2010-04-06 05:33:47

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security