This is a brief discussion of a way that I have worked out to securely pass information between two different web sites. This method will allow a login on one site to be used to provide a login on the second site automatically. We are not going to deal with the security within each site but simply look at how to pass the information from the one site to the other in such a way that even if someone is able to intercept the data being passed with the data in plain text it will still not be possible for them to use the information to log in to the second system.
The process is going to involve passing information from the first site to the second, passing information back to the first site and then passing further information to the second site. Only if correct information is passes as a part of each of these steps will the code on the second site then proceed to login.
First we need two pieces of information known to both sites without that information needing to be passed as a part of the process. One of these will be a number that identifies the particular second site connecting back to the first site and the second will be a random string of characters. This second value can be changed whenever required as long as it is changed at the same time on both sites.
So on to the process itself. The first thing to do on the main site is to check that the user is actually logged on to that system. If they are not then they need to be redirected to the login page and only return to this remote access script once they are logged on. Next a token identifying who is logged on, the random string token known to both sites, the user's IP address and the current time needs to be saved and then control needs to pass to the second site passing the login token value.
The second site then needs to pass information back to the first site in order to confirm that a valid connection has been made and to request information about who it is that is actually logged on. We can use cURL for this so that the information can be sent back and the new information retrieved all from the same script. This allows the data to be passed as POST variables instead of GET variables (which has no effect on security) but it also means that there is only the one script running on the second site and so someone can't bypass any of the processing by running just the last step.
The information this script needs to pass back to the main site are the login value passed to it, the two known values, and the user's IP address. A script running on the main site can then check that the number and random string match and that the values passed match those that were saved just prior to that remote script being called. Note that we need to pass the IP address in this case because the user IP address as far as the script called via cURL is concerned is the second web site and not the user's computer. Once the matching saved entry is found we can then delete it to ensure that this validation process can only run successfully once without starting over from the beginning.
At this point we can pass the actual info required for the login to the second site. Only a few fields need to be passed - just a unique username and fields to identify the person should be sufficient. The information to this point should be secure enough to actually create a new user login for the person if one doesn't already exist so we only really need to pass enough information to identify the person who is logging in. We will just apply one last security measure though to prevent someone just intercepting this data and that is that we will pass one extra field that is a hash of several of the fields being passed along with information already known at both sites which therefore doesn't need to be passed this time and then checking that when we recreate the hash at the second site that they are both the same value. This will ensure that none of the values in this final pass can be substituted so as to give access to anything other than that which was expected from the original request.
Using the above process we can successfully transfer those selected fields to the second site to be used to login there only if the person initiating the request can successfully login on the first site. Intercepting the first or second lot of data passed will not do any good as that data is set up to be single use. Intercepting the third lot of data being passed will give information that could be used to login but only if the data is substituted for equivalent data of the same third pass of a different request. By using the user IP address as a part of the hash such a substitution would only work for a request made from the same computer and so at best would only allow one member to access the account of another member on the second site where both share the same computer.
This article written by Stephen Chapman, Felgall Pty Ltd.