Wednesday, November 24, 2010
On 24 Nov 2010, at 15:58, Xdmx Xdmx wrote:
Mmm.. but in this case you're considering that there are two separated
applications, but actually there is only one application which manage
both the main and the external apps/domains.
The signin/signup page will be on the main address (in order to have a
correct ssl from the main domain), but then the user will be redirected
back to the external domain. This shouldn't be a big problem, my worry
is about the session cookie, having it set on the main domain it would
refer to it, and it actually won't be in the external one. Otherwise to
solve it the signup/signin page could be on the external domain too, but
without a ssl page it wouldn't be so cool (actually it would be better
on everypage, but i'm worried that it would overcomplicate a lot all the
system)
The simple fact of the matter is that sessions can only be created on the domain in the url (subdomains can share a session, but the domain is still the same).
In your case, if a secure page to login is a requirement and you don't want to buy a certificate for every single domain that registers your app, you will have to use some form of interdomain communication to authenticate the session in the external domain. It doesn't matter if the authentication is actually in the same app or a separate one. The domain is the unique identifier here, not the app itself. (And SSL certificates shouldn't be implemented for coolness, but I get your point ;-))
I have quite a bit of other stuff on my mind right now, but something like this comes to mind:
- Browse to external domain http://external.domain.com/
- No session => redirect to main domain login page (passing in the originating domain as a parameter) https://maindomain.com/login?domain=external.domain.com
- User enters login data, your app verifies the credentials and writes an expiring token (a few seconds should be enough) to the user table for the user logging in and then redirects to http://external.domain.com/login?token=af8117c03b3f01b20b9360f2fb5fee57
- Your external domain will be able to verify which user it's about and build the session on the external domain.
It's very important here that the token you use expires fairly quickly so sessions can't be hijacked.
Maybe some people will read this and raise some security concerns that I haven't thought of, but as I said, I'm just saying what comes to mind without thinking much further :-)
Best regards
Peter De Berdt
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment