Secure MediaWiki from Public Access Authenticate W

2019-09-08 04:31发布

We have a web application that runs on a IIS6 ASP.Net server. You must be logged in to use the software. Basically when you login a cookie is generated then when you visit subsequent pages they check for that cookie; if it is not there then you are redirected to login.

We want to implement a MediaWiki server using Linux/PHP (LAMP) to provide a "wiki" formatted help section for our users. However, we want to only allow access from people that are logged in to the software.

So we have software.company.com (Windows/IIS6/ASP.NET server) that you login and navigate to our help which redirects you to kb.company.com (Linux/Apache/PHP server).

My thoughts are to use the same sort of "cookie" checking on the linux server, but I'm not sure how to get the Windows IIS box to pass a token or something to the Linux server saying "hey this user is logged in so generate a cookie for them".

Anyone do anything like this? I may be completely missing the boat in my thinking...

1条回答
时光不老,我们不散
2楼-- · 2019-09-08 05:10

The problem here is about how to tell the kb.company.com site that the inbound user is genuinely authenticated and logged into support.company.com.

We have a very similar setup. We have a reseller portal and we have a private knowledgebase wiki site.

To transfer users over to the wiki site we have a special link that requests a page on support.company.com which generates a blob of data and a session key (for example a guid or two) that is persisted to a "session transfer" database table that's accessible to both sites.

We then Response.Redirect() the user to the wikisite with this key, for example:

http://kb.company.com/DoLogin.aspx?session=E97DDE8D-1C57-4450-ABE4-72E2054A1C82

In the wiki (we modified ScrewTurn wiki slightly) we have Forms Authentication turned on and deny access to anonymous users. The DoLogin.aspx grabs the session value from the query string and then looks for the record stored in the "session transfer" table. If there's a match then we authenticate the user and delete the session transfer record.

The session transfer record is also date and time stamped and is allowed a lifetime of 90 seconds after which a cleanup task will delete the record.

Rather than pass the session key value via the querystring you could pass this via a cookie where the cookie domain is set to company.com:

HttpCookie cookie = new HttpCookie("session", "<guid>");
cookie.Domain = "company.com";

Further embellishments would be to encrypt the cookie value do some hashing and check for tampering on the other side of the transfer. However the content in our wiki isn't terribly valuable (none of it is editable by the end user), we just wanted to keep out casual passer's by, and this works just fine for us.

查看更多
登录 后发表回答