Re: how to pass authorization to another application

---

• From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
• Date: Thu, 03 Aug 2006 16:55:19 -0400

---

Taylor wrote:

They are not on the same server. There is no shared internal method of
communicating, so they can only interact via get/post, and cookies.
The host application will authenticate the user, and then it needs to
pass the username and something that proves they've been authenticated
by the host app to my sub-app.

You have a problem then. Web server authentication (i.e. through ..htaccess, etc.) is on a per-site basis. Your browser will not send authentication information from one server to another.

Cookies are the same way - the browser will not under normal conditions pass a cookie meant for one host on to another. Either one would be a severe security hole.

However, if the second server is a subdomain, you can use the domain parameter of setcookie() to specify the cookie will be available to all subdomains. See the PHP doc for setcookie() for more information.

However - warning. You should NOT rely on cookies for authentication. It's too easy for someone to edit the cookie (since it is sent to their machine) and authorize themselves - bypassing all of your security.

Perhaps another way (although I haven't tried) is to create a proxy on the first server and have it authenticate then pass on the request to the second one. The second server could then be set to completely block requests coming from other than the first server.

Not easy, but more secure.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

---

• References:
  • how to pass authorization to another application
    • From: taylor . ettema
  • Re: how to pass authorization to another application
    • From: Carl Vondrick
  • Re: how to pass authorization to another application
    • From: Taylor

• Prev by Date: Returning a null reference in PHP 4.4.2
• Next by Date: php_zip installation problems
• Previous by thread: Re: how to pass authorization to another application
• Next by thread: Re: how to pass authorization to another application
• Index(es):
  • Date
  • Thread

---

Relevant Pages understanding chkrootkit: sshd section ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ... (comp.os.linux.security) understanding chkrootkit: sshd section ... Rhosts Authentication disabled, originating port will not be trusted. ... Secure connection to %.100s on port %hu refused%.100s. ... Warning: Remote host refused compression. ... Received RSA challenge from server. ... (comp.security.unix) cookie problem ... I guess the solution is related in some way with the cookies getting ... lost in the authentication process working with some web servers. ... If the user fails to enter the password, the server ... (microsoft.public.dotnet.framework) Cookie Problem ... I guess the solution is related in some way with the cookies getting ... lost in the authentication process working with some web servers. ... If the user fails to enter the password, the server ... (microsoft.public.dotnet.framework.aspnet) Re: SSH: trying the simplest configuration with no success ... > standard SSH authentication method to set up. ... >>and make sure I can rsh from one host to the other. ... > method is analogous to that used by rsh; ... > on the server under the client's canonical name as found by the server ... (comp.security.ssh)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)