Ben Ramsey wrote:
To me, it's not a question of whether the sites are physically
located on the same machine, and it's not a question of
encrypting the session id. Anyone who even knows the encrypted
session id could then POST it to the form in a replay attack,
authenticating themselves as the intended user.
You used a key word there - authenticate.
Sessions don't naturally exist across domains, so this problem is best
treated as an authentication problem - you want the user to have a
consistent experience, so you need to automatically authenticate the
user in order to do so. Techniques used to provide persistent logins
("remember me") can help here, except that you'll pass data in the URL
rather than in a cookie.
When I've provided this feature in the past, I've always taken advantage
of launch and landing pages - e.g., users could only get to the other
domain and still be logged in if they clicked a link from my
application, and those links all go through a launch page. This page
takes care of generating whatever data I plan to send to the remote
domain (including the URL that the user wants to visit) and redirecting
the user to the landing page at that domain. With servers synchronized
with ntpd, this lets you close the window of opportunity down to just a
few seconds, strengthening the technique.
I might try to write a more detailed spec for this at some point, but
hopefully that provides some good ideas. :-)
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
