Securely Transferring Users Between Web Sites

2019-06-24 04:23发布

Here's the scenario:

  • You have two seperate websites that exist in different environments (I.E. different databases, different web servers/domains)
  • You have full control over the code for both sites, but from the above point, they can not directly communicate with each other's database
  • You must transfer user from site A to site B securely

What is the best way to implement this? Simply sending the user identifier between the sites via query string wouldn't be secure, even if encrypted, since someone else could obtain the URL. It seems like the standard solution is to pass the user identifier along with another temporary key that web site A created, and web site B knows about. If this is the case, what's the proper way of securely setting up the system with the temporary key?

Thanks!

4条回答
做个烂人
2楼-- · 2019-06-24 04:32

I am doing something like this. The best thing I can think of right now is passing a HASH of the user ID, or if that makes you worry, the hash of some other user data.

If yuo want temporary keys(I might do something like this too), how about setting up a web service on A that B can call to to get the user ID based on the temporary key. This way it's a totally separate call, and can be secured.

查看更多
聊天终结者
3楼-- · 2019-06-24 04:37

Write a web-service call over HTTPS, at both ends, to retrieve the users details, and that only works for a specific login-pair. Problem solved. You need to make the login-id's at both ends uniform or use single sign on cookies. More details in the paper by Vipin Samar: "Single Sign on Cookies for Web Applications".

They can't get the URL/Passwords unless they go into the application code at one of the servers.

查看更多
手持菜刀,她持情操
4楼-- · 2019-06-24 04:43

Take a look at "Pass-through Authentication," its a concept that allows a user's identity to be passed from one system to another.

Additionally, another idea that you may want to try is to create a secure token that does not expose the user's information and pass it on. However, this requires both systems to have similar data to verify the token. As the other answer suggested, hashes are very good uses to create non-descriptive bits about sensitive information.

查看更多
走好不送
5楼-- · 2019-06-24 04:47

You need to pass information between Site A and Site B, but you don't need to make the user the conduit for that information.

Site B could have a web-service that allows Site A to create a session for the user. In this design the interaction would go as follows:

  • User clicks button on Site A
  • Site A calls web-service on Site B which passes a temporary login URL back to Site A
  • Site A redirects user to the temporary URL on Site B
查看更多
登录 后发表回答