views:

128

answers:

2

I have 2 sites that are on different servers and domains but I would like to pass from one to the other with out having to re-authenticate.

Both sites use the same DB so my thought was have an Auth Table where I place a GUID, the users ID, and a time stamp. I would pass the GUID in the URL and do a lookup to see if the GUID is in the table and is less then X old, if so authenticated the user.

Any thoughts?

+1  A: 

Yes, As long as security is not critical in your solution. If security is critical (money is involved) some other measures should be added. like - encrypt the guid or pass it over secure connection -so it can't be stolen have the guid used only once (to avoid replay attacks, and constantly look for holes in this system, as you implement your own security.

encryption is not easy as you need a key, and if you choose bad keys, or store them not good, the encryption is useless.

knowing more about the architecture, clients might help tightening the security some more.

Remember that passing it as part of the URL leaves a trail all over the web with the guid. Maybe there is a better way to pass it, maybe as data.

Dani
If i read the qiestion corretly he isn't talking abount passing the guid on the wire just doing a lookup in a common database which is server side, since it never leaves the server is their a risk?
Christopher Kelly
He want as I understand it to pass from one site to another using the guid as part of the URL.then the 2nd web server will do the lookup.... the guid is passed from the clinet from one server to another server, and it is the key for that account.
Dani
Again - if it's not critical, (like a financial game, or something that can't move money from place to place) this is one thing. if this methods protects money or valuable assets, extra care should be taken.
Dani
+1  A: 

The secure way to do this would be to use OpenID with Directed Identity. This way the first site can assert the identity of the user that is accessing the second site.

Sean Kinsey