I've been charged with trying to find out how something
like this can be done if it is at all in fact possible. The info
I'm hoping to get is what would be involved and where I
can find information on it. I'm not asking for code or
examples unless you really want to provide them. :P
Anyways, what we need to be able to do is the following:
* Have a user be able to authenticate on a *trusted* partner
website that resides on a server external to our network.
* Have that external website securely transmit information
(preferrably not on the URL :p) with regards to the
authentication information on that user; the auth info
will be the same on both servers. This would allow the
user streamlined access to the areas on our website that
would otherwise require the user to log in without forcing
them to do so.
* The other aspect to the above that we also need to address is
when a user signs up for the first time on the trusted partner's
site, that signup information should be securely transmitted to
us when/if the user attempts to access our site so we could set
them up in the database and authenticate them by nature of the
above.
Is something like this possible? What would be involved? Is
there something that is already built into Apache/PHP that
would make it easier? Someone suggested XML database transfer,
but I've never heard of XML being anything other than a markup
language much less capable of storing data? It was also suggested
that we use something like public key/private key but am not sure
how that would work...
We are using:
Apache 1.3.12
PHP 4.0.3pl1
PHP4 Session based (not HTTP basic) authentication using mySql
to store the ID/PW
I realize the security implications of something like this and have
brought them up myself. However, it's something that is being
pushed and so I've got to look into it (and I don't even really know
where to start) so please don't say it's stupid because I already know.
:) Is something like this possible? What's involved? Where can I go
to learn more?
Thanks!
Chris
