On 11/8/05 11:52 PM, Chris Shiflett wrote:
When I've provided this feature in the past, I've always taken advantage of launch and landing pages - e.g., users could only get to the other domain and still be logged in if they clicked a link from my application, and those links all go through a launch page. This page takes care of generating whatever data I plan to send to the remote domain (including the URL that the user wants to visit) and redirecting the user to the landing page at that domain. With servers synchronized with ntpd, this lets you close the window of opportunity down to just a few seconds, strengthening the technique.
I spoke to Chris a little further about this last night (so I'm crediting him with this), and I've noticed he hasn't responded, so I'm doing so.
He said that, since the domains are on the same machine, it's relatively easy for them to share the same session id (something I wasn't disputing), and he offered a solution to mitigate exposure of the session id: a temporary token.
Instead of passing the session id, create a randomly generated session token that is only valid for, say, 2 to 5 minutes. On the server, you can specify to which session the token corresponds, but you never reveal this to the client. You only reveal the token. Since it's only valid for a very small window of time, then, even if it is sniffed or appended to a URL (like in the linking examples I was giving), it won't allow others to use it to log in because it will have already expired.
This alleviates the exposure issues I was discussing. Hope this helps. -- Ben Ramsey http://benramsey.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php