Re: Re: Session's across Domains...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ben Ramsey wrote:
To me, it's not a question of whether the sites are physically
located on the same machine, and it's not a question of
encrypting the session id. Anyone who even knows the encrypted
session id could then POST it to the form in a replay attack,
authenticating themselves as the intended user.

You used a key word there - authenticate.

Sessions don't naturally exist across domains, so this problem is best treated as an authentication problem - you want the user to have a consistent experience, so you need to automatically authenticate the user in order to do so. Techniques used to provide persistent logins ("remember me") can help here, except that you'll pass data in the URL rather than in a cookie.

When I've provided this feature in the past, I've always taken advantage of launch and landing pages - e.g., users could only get to the other domain and still be logged in if they clicked a link from my application, and those links all go through a launch page. This page takes care of generating whatever data I plan to send to the remote domain (including the URL that the user wants to visit) and redirecting the user to the landing page at that domain. With servers synchronized with ntpd, this lets you close the window of opportunity down to just a few seconds, strengthening the technique.

I might try to write a more detailed spec for this at some point, but hopefully that provides some good ideas. :-)

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux