Adam Hubscher <webmaster@xxxxxxxxxxxxxxxx> writes: > Problem: I would like to possibly utilize a login system (created on > the remote server), that would then check their username and password > against the CMS database located there, then redirect with that > information (encrypted of course), to the local site where the > information gets stored in a session. Then when they go to create a > new account, it stores the extra verfied information into the database. > > However, the issue at hand here is, I'm not sure how secure it would > be if I were to say, create a secure login form, verify the > data... and then create another pseudo form that directs the person to > the local-based site using hidden post variables (this is my original > thought on the subject). > > Is there another way I could go about doing this (ie, a way that I > could identify a user that is almost assuredly never going to change) > or is there a more secure way? Or, am I on the right track? Maybe instead of passing the password, you can create a unique sessionid for the user. The userid+the sessionid can then be stored in a database and you pass the sessionid ahead instead of passing the password. On the other end, you can check if the userid and the sessionid that you have received has been authenticated or not. (This assumes that the database in which you kept the sessionid is accessible to both the sides). You will also need to store the timestamp of when the sessionid was created and discard old sessionids. -- Raj Shekhar Y! : Operations Engineer MySQL DBA, programmer and slacker Y!IM : lunatech3007 home : http://rajshekhar.net blog : http://rajshekhar.net/blog/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
