Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Single sign on scenario
Single sign on scenario
  • El Forum
    Guest
  •  
#1
08-15-2011, 06:45 AM

[eluser]Maarten Troonbeeckx[/eluser]
Hi guys,

Looking for some advice...
How would you handle the following?

Client has a website www.client.com where users have an account (email/pwd).
When users sign in (or are already signed in) they can click a button (POST) that'll take them to our site www.shop.com. The users need to be signed in automatically in our shop. Some personal information (firstname, lastname, email, uniqueID, ...) needs to be sent along, no passwords, though...

This is my solution so far.

On the side of the client they prepare a form with hidden fields containing the user data that needs to be sent. An extra field contains an md5 hash of the fields in alphabetical order with a secret key that only we and the client know.

Code:
$secret = "$3(r37|<3'/";
$user = array('uniqueID' => '00001', 'firstname' => 'John', 'lastname' => 'Doe', 'email' => '[email protected]', ...);

ksort($user);
$hash = md5(implode('', $user) . $secret);
$user['hash'] = $hash;

// Post $user data to www.shop.com

At our side (www.shop.com) we create the same hash. If they are equal we have a valid user. If the user is already in our system, we automatically sign him/her in, if not, we firstly create the user and then sign him in.

It works, but is it secure enough?
Are there more graceful solutions?

Tnx in advance for your advice!

Grtz, M.
  • El Forum
    Guest
  •  
#2
08-16-2011, 01:57 PM

[eluser]bapobap[/eluser]
Not a more graceful solution but I believe one that may be a bit more secure that I've used in the past.

- On the POST, create a hash or encrypted string and save that in the client.com database
- Redirect user to shop.com
- Shop.com sends a request in the background to client.com with the hash, where client.com can verify it and ensure it was created recently (and not someone trying their luck generating and submitting md5's) and responds
- Shop.com decides whether to log the person in or not

I think it adds an extra little layer of security and ensures that someone can't set up and automated tool to send shop.com hashes in the hopes they strike it lucky. It does add extra complexity but I'd err on the side of security. My feeling is to not trust any user input or anything that can be submitted by a user and to double check where possible.




Theme © iAndrew 2016 - Forum software by © MyBB