Password Protection for Members Area

[WTF?]

Hey,

I need some help with this thing....

There is the Members Area for my site and another (bonus) Members area of another site (which I want to link together), but they are on two different servers in two different locations.

I have only ONE main username/password for the members area on the other server. Is there any way for my members to access the other members area using a simple link but without seeing the main username/password ?? (username:[email protected] in no good because first of all you can only access the members area the SECONED time you click the link and seconed of all everyone can see the username/password.)

Is there any JavaScript, PHP, CGI that can do something like that ??

I've been trying to get this to work for weeks now, I really need some help with this one.

Thanx in advance

[WTF?]

Anyone

[StupidNewbie]

cookies

[xxxtera]

Good question, I would like to know too!!!

[WTF?]

Quote:

Originally posted by StupidNewbie
cookies

How do you do it with cookies?

[foe]

Build a backend php/mysql solution just have both sites access the same database. Not that hard to do.

[foe]

LOL cookies is the one thing that specifically will NOT work, they are domain based.

[WTF?]

Quote:

Originally posted by foe
Build a backend php/mysql solution just have both sites access the same database. Not that hard to do.

I have no control over the other serve though ...

[4Pics]

Just allow people to access it without a password...

Tgp's do it, so why can't you?

[WTF?]

Quote:

Originally posted by 4Pics
Just allow people to access it without a password...

Tgp's do it, so why can't you?

Its password protected since it is also used as a members area for another site

[WTF?]

The other members area is not mine, I'm just need to share it with the other webmaster.

[foe]

Quote:

Originally posted by WTF?



Its password protected since it is also used as a members area for another site

Well thats not a problem you can use https://username:[email protected] and that would work..


Another Idea I just came up with, didnt do it before but 90% sure its possible have php send that login/password via headers. Similar like post instead of get the users would not see it and once they closed their browsers they would not be able to log back in, actually this idea is pretty interesting, will go read up on it now

[WTF?]

Quote:

Originally posted by foe


Well thats not a problem you can use https://username:[email protected] and that would work..


Another Idea I just came up with, didnt do it before but 90% sure its possible have php send that login/password via headers. Similar like post instead of get the users would not see it and once they closed their browsers they would not be able to log back in, actually this idea is pretty interesting, will go read up on it now

Anyone knows how to do this?? (Don't know PHP )

[foe]

Ill im you on icq

[NetRodent]

Quote:

Originally posted by foe
LOL cookies is the one thing that specifically will NOT work, they are domain based.

Actually the only good way to do it IS with cookies. You can't use basic authentication, because the surfers browser will only send the username/crypted password to the realm (and thereby domain) that the surfer entered the password for and you can't modify that server side. You can also play around with authenticating by referring url, but you can't rely upon that being present, its easy to forge, and you loose the ability to track what a particular user is doing.

If you want authenticate/authorize across multiple domains, it needs to be done with a variable you have control over server side, such as cookies, you can do cross site authentication/authorize , although it is a real pain to set up and you need to have control of both servers and there are some compatibility issues.

Basically, you change your authentication/authorization from looking at the username and password to looking at a cookie (which only gets set on two conditions, if the user enters a valid username/password on a login form, the user clicks on a link leading to the protected area that contains a time-sensitive "ticket" to be let in). For example, we use a ticket that consists of the members username, a timestamp, and an md5(username, timestamp, time-based-secret). Of course we have to be very careful that the system clocks on our servers don't fall out of sync.

I don't know of any publically availiable tools to do this. We had to heavily modifiy Apache::AuthCookie to allow one login seamless access to multiple domains.

[NetRodent]

Quote:

Originally posted by foe

Another Idea I just came up with, didnt do it before but 90% sure its possible have php send that login/password via headers. Similar like post instead of get the users would not see it and once they closed their browsers they would not be able to log back in, actually this idea is pretty interesting, will go read up on it now

Unfortunately that won't work. PHP (or any other server side app) can send any header they want to the client, but they can't make the client send that header in any subsequent requests to other sites.

[WTF?]

Thanx NetRodent

[Daymare]

Quote:

Originally posted by StupidNewbie
cookies

Mmmmmmm...... cooookies!

[WTF?]

How about something more simple? Encryption, just make a link like http://username:[email protected] and just encrypt the whole html page where that link is located so that no one could see the source code.


Or something like that .....

[foe]

Spoke with a bunch of people and experimented myself, doesnt look possible you are not able to send auth variables into the browser.

[foe]

Quote:

Originally posted by NetRodent


Actually the only good way to do it IS with cookies. You can't use basic authentication, because the surfers browser will only send the username/crypted password to the realm (and thereby domain) that the surfer entered the password for and you can't modify that server side. You can also play around with authenticating by referring url, but you can't rely upon that being present, its easy to forge, and you loose the ability to track what a particular user is doing.

If you want authenticate/authorize across multiple domains, it needs to be done with a variable you have control over server side, such as cookies, you can do cross site authentication/authorize , although it is a real pain to set up and you need to have control of both servers and there are some compatibility issues.

Basically, you change your authentication/authorization from looking at the username and password to looking at a cookie (which only gets set on two conditions, if the user enters a valid username/password on a login form, the user clicks on a link leading to the protected area that contains a time-sensitive "ticket" to be let in). For example, we use a ticket that consists of the members username, a timestamp, and an md5(username, timestamp, time-based-secret). Of course we have to be very careful that the system clocks on our servers don't fall out of sync.

I don't know of any publically availiable tools to do this. We had to heavily modifiy Apache::AuthCookie to allow one login seamless access to multiple domains.

Thats what i ment under standard cookies it isnt possible to auth under multiple domain names so it wouldnt work. I tried seeing if there is anyway you can set auth in browser but thats impossible.

[WTF?]

Thanx anyways ...

[foe]

Hey I tried, also asked some other pros none of them new anyway to do it with headers goodluck though. There may be some otherways, however you say that you have no access to the other webserver whatsoever, right?

[WTF?]

Quote:

Originally posted by foe
Hey I tried, also asked some other pros none of them new anyway to do it with headers goodluck though. There may be some otherways, however you say that you have no access to the other webserver whatsoever, right?

Ya man, I'm just sharing the members area on it, cant change anything