durusmail: quixote-users: Single-signon in Quixote
Single-signon in Quixote
2005-02-02
Ksenia Marasanova
2005-02-02
Titus Brown
2005-02-02
Ksenia Marasanova
2005-02-02
Titus Brown
Quixote + SQLObject Sessions (was Single-signon in Quixote)
2005-02-02
Charles Brandt
Re: Quixote + SQLObject Sessions (was Single-signon in Quixote)
2005-02-02
Jorge Luiz Godoy Filho
2005-02-02
Ksenia Marasanova
2005-02-09
Ksenia Marasanova
2005-02-09
Nigel King
2005-02-09
Mario Ruggier
2005-02-02
Dave Warnock
2005-02-02
Ksenia Marasanova
2005-02-02
David Warnock
2005-02-02
Ken Kennedy
2005-02-02
Ksenia Marasanova
2005-02-03
C. Hudley
2005-02-03
Bud P. Bruegger
Single-signon in Quixote
David Warnock
2005-02-02
Ksenia,

> If I don't misunderstand it I think it is not very secure... If
> someone logs onto Site A, and when hi is still there I use his
> username and site_id (which is the same for all) to go to another
> site, I am authenticated?

Sure exactly as described this is an issue. Just pass the session id and
iP address as query parameters on the url. Pass the session back for
checking by the web service and check the ip address is the same.
Therefore you have to find the user logged onto A, know their ID, know
their session ID and ip address and forge your own ip address. I would
do all this over https rather than http as well.

Should be enough for most systems.

Dave
reply