Re: Posting and redirecting to remote script [message #173291 is a reply to message #173290] |
Fri, 01 April 2011 20:24 |
Captain Paralytic
Messages: 204 Registered: September 2010
Karma:
|
Senior Member |
|
|
On Apr 1, 8:54 pm, Toxalot <toxa...@gmail.com> wrote:
> On Apr 1, 3:36 pm, Captain Paralytic <paul_laut...@yahoo.com> wrote:
>
>
>
>
>
>> On Apr 1, 7:20 pm, Toxalot <toxa...@gmail.com> wrote:
>
>>> My client has a subscribers only area which is written in PHP. Login
>>> is through a form and sessions are tracked with cookies.
>
>>> One of the client's subscribers has their own members only website.
>>> The subscriber wants all their members to be able to access my
>>> client's subscribers only area without having to provide a username
>>> and password. The simplest way would be for the subscriber to put a
>>> form button on their site that has the login info in hidden fields.
>>> But that means any of their members could get the login details by
>>> viewing the source. I don't know how savvy their members are, but I
>>> don't like security through obscurity.
>
>>> I had hoped to create a simple little script that the subscriber could
>>> install that would post directly to my client's script and end up on
>>> the client's site. But so far, it hasn't been as simple as I'd hoped.
>>> All methods of posting to remote script keep the user on the same
>>> site.
>
>>> Any suggestions on how to handle this?
>
>> The script could post the necessary login to your client's site and
>> get a one time token returned. It could use this on a header location
>> redirect to move the user to the other site. The other site would use
>> the one time token to log them in and place the necessary cookie.
>
> I think I understand what you're saying.
>
> On client's site, I'd need
> - new script/function to create token, store token in database, and
> return token
> - new script/function to check for valid tokens, delete token, and
> then go on as per usual
>
> On subscriber's site, I'd need
> - script that posts login info using something like cURL, retrieves
> token, then redirects with token in query string
>
> Am I missing anything? Any tips or gotchas I should watch out for?
That's pretty much it.
You could also have a time limit on the token.
I'm sure that there are lots of other ways, for instance using an
openid, but this sounds like it fits with the ideas you were already
thinking of.
|
|
|