Allowing login from a different site . . . 1

[nedstar1]

OK, here's the run-down:

I have a site that is open to registered users only. Users are registered by their parent company. I have set up my authentication so:

The user logs in with email address and userID (unique to the user); my page checks tbl_users for a row that contains both values, and returns results. I count the results, and if it is greater than zero, they are authenticated and allowed to proceed. Very easy, and because I know the userID is unique, effective.

Well, now the parent comapny wants to integrate the site into their intranet, essentially linking to my external site from the intranet. However, they want me to allow them to bypass my login screen. To do this, they will send a variable via post as part of their link. It will contain one value called auth - that value contains BOTH the email address and the userID like this "UserID,emailaddress" (eg "BOBBY01,bobby@yourcompany.com"

So it's one value with two values in it, seperated by a comma. If the user on their intranet is not a company employee (like a consultant or something), the value for UserId will be -2.

Additionally, they will be referring from one of two domains - I will need to check the referring URL to ensure it is either my login screen, or one of these two URLs , and to deny access otherwise.

I think I can make all of this work, but I just want someone to check my logic before I get deeply involved in doing the wrong things.

Here's what I think I need to be doing:
First: I need to check the referring URL to make sure it's cool. If it is, go to step 2, if not, they can get bent.

Second: If the referring URL was my login page, the $pwd and $username should be set (checking with isset), and I can proceed normally. If the referring URL was one of their two pages, I need to proceed to a parsing process on auth, and to unset $pwd and $username.

Third, part A: referred from my login page, $pwd and $username are compared to the db, rows returned and counted, if greater then zero, rock on.
part B: if referred from other two URLs, I need to (extract? parse?) auth into two parts and set the values of $pwd and $username accordingly. I do not yet know how to do this, but I will RTFM and try to find out. I will then use my query with these values for $pwd and $username and count returned orws, and if greater than zero, rock on.

I think that's all I need to do. There is no user-driven registration process; registered users are notified of their registration by the home office,a nd access to the link is restricted to these people. Any non-employee who clicks the link will send and unrecognized userID (-2) and will be denied. I am thinking it does not matter that the value is -2 - just that it doesn't match anything in the db.

Anyone see any problems with my logic, have panual pages I should read, or suggestions on alternative ways to address the problem? I have to be live 10/7, so I've got plenty of time. . .

Tahnks folks,

Regards, and TIA,
Nedstar1

 

[DRJ478]

First: I need to check the referring URL to make sure it's cool.

It is incredibly easy to tamper with that. Mozilla/Firefox has a plugin that lets you tamper with all kinds of headers etc.

What kind of authentication method do they use in their intranet? Maybe you can hook into that.

Setting the password after retrieving it from the db by username seems unadvisable. I strongly suggest that you come up with a more secure way of loggin these people in automatically. You don't want other people tampering with HTTP_REFERER or REMOTE_ADDR that know a username and e-mail to just get in, do you?

 

[vacunita]

You're logic seems to be good. Yur Security Seems to be good, not bulletproof as DRJ478 pointed out, but good enough for what you seem to require. Although maybe a password encryption or something similar might be a good choice.

Moving on, I believe Step 1 and 2 can be combined into a single step via a effectively positioned IF. such as:

IF(url=yoururl){ goto normal login)
If((URL==allowedURL1)||(URL==allowedURL2){
do the parsing.
}
[code]

As for the parsing there is alittle command in PHP by the name of explode. it divides a string into an array of strings based on a delimiter such as a comma. 

so if $value="user,Password";
and you use explode.
[code]
$login=explode(",",$value);

$login[0] is going to be user, and $login[1] is going to be Password. then you can do the cheking in the DB.

Another suggestion might be to include a third verification value into the user and password variable, to verify, if there is no such value then send them away from the website, if there is then you can process the user and password.

Hope this helps

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[hos2]

If you are on an intranet why not make it easy and check on ip adress ?

 

[nedstar1]

Wow, great response!

Thanks for the information folks. Full responses:
DRJ478: Spoofed headers could be an issue with this design, I agree, but the security of the intranet is very good; all this will do is give them one click access to my site from their intranet, not a true integration. Compromising my system would not give you access to theirs.

Basically, they have a username and password for their intranet. Their security is good enough that they would not tell me more about it, or about their passwords. They seemed competent and suspicious; I suspect that their security is pretty good. Usernames are largely guessable, but I can't help that.

That's to access their site. I use different identifiers as login credentials (email and username). I was also provided with more information - shipping addresses, phone numbers (for FedEx) and such - I could plug in another check against these after address entry as another stopgap to placing an order. That would probably also suffice.



vacunita:Thanks for jogging my memory! Great Tip. Explode was exactly what I was trying to remember. I read the manual page once, but it was like my third day with PHP, and I was totally lost. I'll go back and read it again and see if I understand; your explanation is probably enough for me to get it working, though, so thanks again.

That's a good idea about the if statement, too. I thought I had that part worked out, but your code is a lot more efficient that anything I had. My only problem is that I only have part of the URL - I'm not sure how to only look at the start of the URL. What I mean is that they will only give me

https://intranet.company.com

when it may well be coming from

https://intranet.company.com/baseball/argyle_sweater.php.

Any idea on the command? Search on first X characters?


hos2: I'm not not their intranet. I'll save your idea, though, for my in-house projects.


So, I'm going to tighten up security by adding a check on the ZIP and the state after address entry. I need to figure out how to compare two URLs that have the same domain and sub-domain, but not necessarily anything else.

Anything else?

Thanks a lot folks. Vacunita gets a star for the explode explanation.

Regards, and TIA,
Nedstar1

 

[vacunita]

Thanx for the star, As for the URL you can use another function called [blue]strpos[/blue] to determine wether one string occurs in another. and how many times it occurs.



----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.