I'm currently trying to join 2 web apps on different domains example1.com and ex.example2.net so that you can login to example1 and click on a link to example2 and be instantly signed in, as it would be more convenient for customers to just login the once and navigate between the sites.
I've researched various means ie. php sessions, openID, JOSSO and Kerberos, but what would be a secure and easy way to implement this?
Kerbros is very extensive and for systems requiring high security. Its very difficult to work with, and even just setup over all, I would not suggest this route unless you know linux very well, and provided your hosting provider allows you that type of access over the machine.
Im not familiar enough with JOSSO or openID to comment well on those however.
Any php sessions are only good for the domain, and server the domain is on, kind of like cookies but not, though in all you would use them.
I think your easiest solution more so if the 2 sites are on the same hosting account/server. Is to have a database specific to this cause. What you would do is create a login system like you would normally but instead you would have 2 sites reading off this login. Aside from the normal login you would also have a session tracking table. Typically you already set sessions when users login to keep them logged in, and you'd do the same here, but you'd add a cookie into the equation one both sites can recognize and use to compare entries in this new table where your tracking your users. I'd say keep try by IP, Browser, and maybe a userID all in one cookie with a unique hash of some kind as well thats specific to the user based on something only the servers could recreate on the info they have for the user.
Of course I dumb it down in conceptual speak, its a little more elaborate than I make it out to be, but this would be your general stepping stones.
Also if the sites are independent of one another you could always create an API between them to pass info back and forth JSONP style so one can act as the hub for the login while the other just validates
But in all its all dependent of what your wanting to do overall how, when where, etc..
You can have one application handle logins for both sites using php sessions.
example1.com
user logs in and php session cookie is stored.
ex.example2.net
check example1.com and validate session cookie. if it does not exist redirect to example1.com login page or a custom login page on example1.com. If it does exist, then log the user into ex.example2.net.
If you only want a link then you generate a hash and pass that to the second app once they have logged onto the first. If the hash validates, then log them in.
If it works for you, my suggestion would be to go the openID route. It's the easier way and it's secure enough. Besides, the registration process is easier and quicker to users too.
You can actually only allow IDs from your sign-in domains, if you prefer, making it pretty much a "private" login system.
There are downsides too... You don't have fine control over the registration process, you are dependent of openID authorization process... There are some problems that might happen if your host is not well configured (timezone differences, for instance).
But overall, it's a relatively secure system, easy to implement.
Kerberus is extremely secure but it's a nightmare to work with. Unless you're dealing with highly sensitive user information, like credit card numbers, or think your websites make apetizing targets for hacking I don't think it's worth your time.
I would use a database table that is shared between the two sites. If you go down the PHP session route don't try and just pass the session data from one site to the next on separate domains, it won't work. I found this post helpful many moons ago: Single Sign On across multiple domains
Related
We are currently using a custom login system that sets a hash in the database on one site, and then when the user transfers between domain and sub-domains it logs them in. It doesn't always log the user in so they click on on the login link/button and it takes them to the login and if they have a session it loads it otherwise it shows the login page.
We would like to get away from that and use something better. With php there is session_set_cookie_params and we were wondering is this secure?
session_set_cookie_params(3600, "/", ".example.com");
If this isn't a good way to use a session across multiple domains what is a better one?
We also have a few subdomains that use their own login system where the same user has a different username/password on that system, will this/that be a problem? We feel that it could be possible that two different people could have the same session id logging two different people on to the same account, since they manage their own sessions.
It is a fine approach, however you have to consider that, if all domains/subdomains you want involved in the same session are not on same server or reside within different applications, that you need to provide some common backend session-storage mechanism that all applications can access for session data.
As far as dealing with multiple logins, you would likely need a logical way to link the logins together so that you can understand that a valid session under one login could be transferred to another login on a different domain. This is really your largest security concern, and one that should likely be addressed by implementing a single sign-in mechanism.
Normally When I design a site that allow users to login, I create session variables of the user info from the database and ensure that at least one of the session variable is available on each page of the site, else the user would be redirected to the login page like this:
if(!isset($_SESSION['username']))
{
header("Location:login.php");
}
But then I've been thinking lately, instead of using session variables to authenticate users, why not use the query string. My idea is to create a unique string which is based on some factors, like date(month, year, day) or access time(day, hour) or ip address, and maybe hash it using md5 so the url might look like this
://mysite.com/dashboard?auth=12jsdnnau819wiskj3jdnck23ksj12j3.
So now I can easily logout a user if he has not accessed the site for more than one hour or more than one day. But I do not know if this is a good idea, that is why i am here, to seek for advice on a better way to go. Thanks all.
Because URLs:
Leak easily
Get bookmarked
Don't carry their data over automatically when the user opens a new tab and navigates back to the site
and because nothing is stopping you from storing the same data in a session and using that to easily logout a user so it doesn't even add the one benefit you highlight.
Don't do this.
Do you remember the days when PHP session ID could be stored in the URL, and you would have URLs that look like: index.php?PHPSESSID=.... ?
We have moved away from this to more secure implementations, user friendly URLs, etc.
Just as a simple example of what can go wrong: A web crawler can crawl your website, and if reaching the admin panel with a properly authenticated URL (as you described), it could become publicly available to ... anyone.
So ... don't reinvent the wheel.
I can think of a few reasons not to do this:
The hashed request parameter is publicly visible. This means anyone using that url will be considered an authenticated user.
As I can see, the token is per user, so all requests using this token will be done on behalf the same user. If you share a url, anyone using that url will impersonate the same user, and have all the access rights granted to that user.
Other answers have mentioned that the urls can easly leak, or be bookmarked. In addition to their points, once the token expires, the url may become broken, if you trigger a login or other authentication redirect mechanism.
A pure technical drawback of your idea is also this: you need to persist the token when navigating across different pages in your app
The HTTP Session has been designed to serve this purpose and at the same time be safe enough. The application session length can be tuned so that it matches your requirement. I recommend you to get familiar on how HTTP sessions work and how to tune your session expiration policy, rather than compromise your application's security
I have moodle LMS in three different countries (Ex:India, America, Eurppe). For these sites they have individual administrators. Suppose I am the main Administrator, I want to be able to manage all websites with one login.
If I login in Indian LMS and select America LMS in DROP DOWN, then the session should transfer to America LMS. Is there any solution for this?
If your sites are subdomains of the same domain you should consider reading this:
PHP Sessions across sub domains
To set cookie for the main domain and all subdomain. So you can read the same cookie from us.foo.com and also from eu.foo.com
Plus you should have a unique user database or more than one syncronized (i'd prefer the first option anyway).
You're going to encounter cookie domain restrictions as your first major barrier. Essentially, you can't read a login cookie (which are required for sessions to work) from a domain other than the domain that issued it, so a moodle instance at us-foo.com will never be able to read a login cookie from eu-bar.com.
The simplest way to route around this would be to use a separate login form. On submission, use JavaScript to open hidden iFrames to the login pages of all three sites, with the username and passwords passed via GET parameters. Moodle may not natively support login credentials being sent with GET; you may need to edit the login scripts.
There's a forum thread about doing just this with Moodle, though - you may be in luck.
But in any case, for a login multiplexing hack like this to work it will mean you have to keep the admin username and password constant between your three sites. You could enforce this in the database using triggers, if they're all run from the same database; otherwise you'll want to alter the password changing script to write those changes to the remote databases.
Is this a serious undertaking? Kind of. Unfortunately, it's not a very robust solution, and it is likely to be extraordinarily fragile when it comes to updates and the like. You may find that the best choice is to just login separately, particularly given that these hacks don't easily lend themselves to being embedded in the main login for the sites, and you'll need to use similar ad-hoc synchronization to make logging out take place across the network as well.
I have a server say 'XYZ' and many clients of different domain, say A, B and C. authentication is done at server.
- when user comes first time to any of the site, we will ask him to create the account for the site. he will enter email and password. we will sent the data to server and stores thr. now he has account in 'XYZ' so that he can login to any of the site A, B and c.
Next:for example say, He come to site B, to login, he enters email and password. we will take this data to server to verify, if password matches with email, we send status 'Yes' back to client so the he login successfully and go to inner pages.
Because sending email and status 'yes' back to clink is not safe. we are using socket programming. so that outside people will not know what data we are sending and getting back.
because we are using socket, we are not able to create any session or cookies, because we are not opening server site in browser.
I want,like: when user successfully logs into site B. if simultaneously in next tab he goes for site C. he should not asked for to login(should not show login page). he automatically gets logged in(goes to inner pages).
The thing you're looking for is called single sign-on (abbreviated SSO) and it is a hard problem to solve correctly. There are lots and lots of SSO schemes, all of which suck horribly in their own special way.
A major obstacle in the way of your goal is how we normally keep track of logins on the web: cookies. In particular, one domain can only set cookies that belong to it. This means that if your three web sites are on three different domains, you can not have one site set a cookie for the others.
A common way around this is to actually place the authentication service on yet another domain name. Whenever you need to check that a user is logged in, you direct them to that authentication service. A popular unified sign-on mechanism, OpenID, uses this technique. OpenID is what StackOverflow uses.
(If you use the various StackExchange sites, you may have noticed that you can sometimes be automatically logged in to the others after loading a page. I'm still not sure how this works, and haven't investigated yet.)
From what you've described, you'd be well-served by central authentication. You may even find that implementing a system based on OpenID could even work well for your sites... though if you do that, I encourage you to hide the complexity of the whole URIs-as-identities thing, normal end-users are unlikely to understand the concept.
Can you set a cookie in your browser after the user logins in the XYZ site?
So now when the user visits the site A, B or C, you can check whether cookie is set against XYZ domain, and if yes, you can login the user. But note that you can only share cookies across sub domains (of XYZ), not different domains.
I have developed a web application in PHP for a client. The client is now renting out access to the system to another company on a per user basis.
Is there a way to prevent the secondary company to use a single login and give it to 20 people to use at the same time? I know one can get the IP address of the client machine that is being logged in from, but this is obviously not very reliable method. The answer probably lies in a combination of cookies and tracking things in a database, but my brain gets a bit stuck thinking on how to implement a strategy here.
Create a unique session ID when a user logs in and store that in the DB. Add something to the session authentication code (run on all page visits) that checks that the user's session ID is equal to the one in the DB and if not, log them out. Then your web app will be accessible by only one user at a time.
To be completely honest though, can't you raise this issue with your client?
No way to tell if the login is shared among 20 people. You can restrict access by blocking simultaneous usage thru session cookies.
Most of all, protect yourself with a published Terms and Conditions document. Violation of which - revokes any standing agreement/contract. And sue them if you can provide evidence (logs) that they violated it.
Make sure you bind one user to one session. In that way you can generate a warning screen if somebody uses the same login with another session. You can then let the user choose to close the other session.
In that way you can make sure two users are not using the system at the same time. It's a bit like a software program you have installed on a computer: multiple users can use it, but only one at a time. This is probably fine.
If you don't want that, you should try to bind the login more firmly to the user: make sure he logs in with a personal e-mail address, and he gets notifications (if applicable) via e-mail. Also let the user set personal configurations. In that way you create extra value for users to have their own account.
If you have a login you have authentication, and you write any user id in session, make sure that only one session with this id created, if the session already exists throw error message.
The only problem you will have in case and user did not logout properly, instead of it pressing x button on browser then he will not be able to login till session s not expired.