My reason for using SSL was that the username/password combination
wouldn't be transmitted in plaintext... that's all. If you're passing the
creditials in plaintext to the Win2k machine though going to SSL for the
auth on PHP/Linux wouldn't really make any sense I suppose.
Justin Buist
Trident Technology, Inc.
4700 60th St. SW, Suite 102
Grand Rapids, MI 49512
Ph. 616.554.2700
Fx. 616.554.3331
Mo. 616.291.2612
On Wed, 19 Sep 2001, Evan Nemerson wrote:
> SSL would be useless. It has no facilities for authentication, which is what
> we need here. Basically, SSL encrypts communications between two computers-
> it doesn't care which two and is therefore vulnerable to man-in-the-middle
> attacks.
>
>
> On Wednesday 19 September 2001 08:22, you wrote:
> > > Customers are authenticating through an IIS server against a database on
> > > Win2K. How do I securely pass this information to a separate
> > > PHP/apache/UNIX system? Since any parameters could be forged, it seems
> > > I'd need a cryptographic approach. Does anyone have experience with a
> > > cross-platform solution (ASP/IIS/Win2K and PHP/apache/Linux)?
> >
> > Perhaps I'm making this too simple; but what exactly is the problem? You
> > have a DB on a Win2k box with user authentication information and some
> > scripts in IIS that use that to handle user logins, right? When you toss
> > them over to the PHP/Linux system do it via SSL, encode the
> > username/password in some GET or POST data, and let the PHP scripts
> > authenticate them against the same Win2k database, then give them a
> > session variable with their user credientials.
> >
> > This is of course assuming that you can get the PHP on Linux and your DB
> > on Wkn2k talking, which might currently be prevented by a networking
> > issue. If you can't fix the network look into mechanisms for replicating
> > the data from the Win2k machine to the Linux machine on a nightly/hourly
> > basis.
> >
> > Justin Buist
> > Trident Technology, Inc.
> > 4700 60th St. SW, Suite 102
> > Grand Rapids, MI 49512
> > Ph. 616.554.2700
> > Fx. 616.554.3331
> > Mo. 616.291.2612
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]