05-24-2002, 06:18 PM
|
|
|
Confirmed User
Join Date: May 2002
Location: CT
Posts: 5,246
|
Quote:
Originally posted by NetRodent
Actually the only good way to do it IS with cookies. You can't use basic authentication, because the surfers browser will only send the username/crypted password to the realm (and thereby domain) that the surfer entered the password for and you can't modify that server side. You can also play around with authenticating by referring url, but you can't rely upon that being present, its easy to forge, and you loose the ability to track what a particular user is doing.
If you want authenticate/authorize across multiple domains, it needs to be done with a variable you have control over server side, such as cookies, you can do cross site authentication/authorize , although it is a real pain to set up and you need to have control of both servers and there are some compatibility issues.
Basically, you change your authentication/authorization from looking at the username and password to looking at a cookie (which only gets set on two conditions, if the user enters a valid username/password on a login form, the user clicks on a link leading to the protected area that contains a time-sensitive "ticket" to be let in). For example, we use a ticket that consists of the members username, a timestamp, and an md5(username, timestamp, time-based-secret). Of course we have to be very careful that the system clocks on our servers don't fall out of sync.
I don't know of any publically availiable tools to do this. We had to heavily modifiy Apache::AuthCookie to allow one login seamless access to multiple domains.
|
Thats what i ment under standard cookies it isnt possible to auth under multiple domain names so it wouldnt work. I tried seeing if there is anyway you can set auth in browser but thats impossible. |
|
|