Here is an idea I had, but will require that all the sites in question
maintain very accurate clock synchronization, but doesn't require any
database writes. It assumes that the passwords are stored using MySQL's
PASSWORD("") function.
$user_table="website.authorized_users";
$now=gmmktime();
$interval=300;
$rnow=$now-($now%$interval);
$persist=6;
function auth_hash($user,$pass){
global $user_table,$rnow;
$q='SELECT PASSWORD("'.$pass.'") as p1, password as p2 FROM '.
$user_table.' WHERE username="'.$user.'"';
$r=mysql_query($q);
$row=mysql_fetch_array($r);
if($row[p1]==$row[p2]){
$retval=mhash(MHASH_MD5,$user.$row[p2].$rnow);
}else{
$retval=FALSE;
}
return $retval;
}
function auth_logon($key,$user){
global $user_table,$rnow,$persist,$interval;
$q='SELECT password FROM '.$user_table.' WHERE username="'.$user.'"';
$r=mysql_query($q);
$row=mysql_fetch_array($r);
for($i=0;$i<=$persist;$i++){
$str=$user.$row[password].($rnow-($interval*$i));
$hash=mhash(MHASH_MD5,$str);
if($key==$hash){
return TRUE;
}
}
return FALSE;
}
"Boget, Chris" wrote:
>
> I've been charged with trying to find out how something
> like this can be done if it is at all in fact possible. The info
> I'm hoping to get is what would be involved and where I
> can find information on it. I'm not asking for code or
> examples unless you really want to provide them. :P
>
> Anyways, what we need to be able to do is the following:
>
> * Have a user be able to authenticate on a *trusted* partner
> website that resides on a server external to our network.
>
> * Have that external website securely transmit information
> (preferrably not on the URL :p) with regards to the
> authentication information on that user; the auth info
> will be the same on both servers. This would allow the
> user streamlined access to the areas on our website that
> would otherwise require the user to log in without forcing
> them to do so.
>
> * The other aspect to the above that we also need to address is
> when a user signs up for the first time on the trusted partner's
> site, that signup information should be securely transmitted to
> us when/if the user attempts to access our site so we could set
> them up in the database and authenticate them by nature of the
> above.
>
> Is something like this possible? What would be involved? Is
> there something that is already built into Apache/PHP that
> would make it easier? Someone suggested XML database transfer,
> but I've never heard of XML being anything other than a markup
> language much less capable of storing data? It was also suggested
> that we use something like public key/private key but am not sure
> how that would work...
>
> We are using:
>
> Apache 1.3.12
> PHP 4.0.3pl1
> PHP4 Session based (not HTTP basic) authentication using mySql
> to store the ID/PW
>
> I realize the security implications of something like this and have
> brought them up myself. However, it's something that is being
> pushed and so I've got to look into it (and I don't even really know
> where to start) so please don't say it's stupid because I already know.
> :) Is something like this possible? What's involved? Where can I go
> to learn more?
>
> Thanks!
>
> Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
