hackalive Posted July 10, 2013 Share Posted July 10, 2013 Hi guys, So I am making a PHP site that I will host and others can make use of (after creating an account), however I want to integrate it with their local LDAP accounts/server. I do not want to distribute copies of the software for them to put on their servers. So I am thinking they would first need to visit myproduct.theircompany.com to login (this code would be on a server able to acces their LDAP server), which when it returns as authenticated (OK) it would then rediret to myproduct.com and have them as logged in. Now my issue is, how do I stop people being able to spoof myproduct.com into thinking someone is logged in, how do I pass the data back from myproduct.theircompany.com to myproduct.com? Any ideas? Or questions? Cheers Quote Link to comment Share on other sites More sharing options...
Eiolon Posted July 10, 2013 Share Posted July 10, 2013 I guess you could do a couple of approaches. 1. Host the login on your server. Make myproduct.theircompany.com forward to the login page. 2. Host the login on your server, but on myproduct.theircompany.com use an include for the login form. Looks like it is hosted on their server but in reality the form itself is included from your server. 3. Store session information in a database and use a custom session save handler. Quote Link to comment Share on other sites More sharing options...
hackalive Posted July 11, 2013 Author Share Posted July 11, 2013 Any other suggestions? Quote Link to comment Share on other sites More sharing options...
cpd Posted July 11, 2013 Share Posted July 11, 2013 Why would you have them log in at a sub on their site if it redirects to your website and everything is on there? Why not have them log in on your site? Quote Link to comment Share on other sites More sharing options...
hackalive Posted July 12, 2013 Author Share Posted July 12, 2013 Want to integrate with their exisitng LDAP login so they dont have another account to rememebr Quote Link to comment Share on other sites More sharing options...
trq Posted July 12, 2013 Share Posted July 12, 2013 I recently did the same thing for work. We used a very simple mechanism where we created a public / private key pair which both system where aware of. On the client system you composer a querystring containing your public key and your data and your data hashed together with the private key. Something like: $private_key = 'fooisgood'; $s = 'public_key=thisisfoo&data=is_valid'; $hash = md5($s); $s .= '&hash=' . $hash You then send $s to your server system. On the receiving end we can now validate that this string was sent from a system that knows our private key by checking it. eg; $private_key = 'fooisgood'; $public_key = $_GET['public_key']; $data = $_GET['data']; $hash = $_GET['hash']; if (md5("public_key={$public_key}&data={$data}") == $hash) { // is_valid is true. } Of course I wouldn't use md5 and we added a bunch more stuff to this including a timestamp so that each request only had a short lifespan (60 seconds), but you get the idea. This is a VERY simple mechanism however. It is blown quite easily if your code gets distributed into the wrong hands as the algorithm is found out. However, for a lot of cases, this mechanism is fine. Quote Link to comment Share on other sites More sharing options...
hackalive Posted July 12, 2013 Author Share Posted July 12, 2013 Would it be more secure if I used X.509 and AES? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.