On Wed, 2007-03-14 at 14:50 +0000, Matthew Vickery wrote: > The situation is as follows: > I wish to protect the entire Website http://www.example.com from > direct URL access. i.e. if someone enters http://www.example.com into > their browser they get a message stating that they are not authorised > to access the site. The only way to access http://www.example.com > should be to log into a second site http://www.intranet.com and follow > a link from within to http://www.example.com. > > The problem: > I initially thought I should use the predefined PHP variable > $_SERVER['HTTP_REFERER'], but the PHP website explains that this > "cannot really be trusted" > (http://uk2.php.net/manual/en/reserved.variables.php). > > Next I thought about HTTP authentication. If I password protect the > the Website using .htaccess and .htpasswd as follows: > Code: > > AuthName "Login to access the Website" > AuthType Basic > AuthUserFile /var/www/vhosts/example.com/httpdocs/.htpasswd > Require user username > > > Then my link within http://www.intranet.com could simply be: > Code: > > <a href="http://username:password@xxxxxxxxxxxxxxx";>Link to example.com</a> > > > However this doesn't seem secure. The username and password are > visible to anyone who views the source of the page with the link. > Also as these are not encrypted is it not possible for them to be > intercepted? > > I could of course write my own authentication code on > http://www.example.com and pass a variable via a GET or POST from > http://www.intranet.com, which would cause a login and a cookie to be > set there. But this is basically the same as above and still seems > insecure! > > Is there a better/standard way to do this kind of thing? So you want a user who has authenticated on domain A to be able to transparently transfer to domain B? Do they share a common database? Do you have scripting access to both systems? Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
