0

I am looking to implement authentication on secondary domains, such that a user will only have to login on one (Primary) domain. All of the domains share a server so private data may be stored in the database and accessed safely. However, I am struggling to develop a proper handshake for the SSO system.

I want to use a similar method to the one explained Here.

The part that I am having trouble with is: To generate a hash that is unique to the user and the session, so it can be validated, however it must not be vulnerable to man in the middle attacks.

Some of the domain do not have SSL, so it needs to be secure on it's own.

My current plan is to generate the string with a base64 of (tempid + sessionid + userip + browser info + timestamp).

All of this information is stored in the server and can be reassembled on the second domain to determine validity (and checked).

Is this enough for validation or are there better ways to do what I am looking to do? Especially since IP and Browser info can be mimicked.

Community
  • 1
  • 1
ShadowZzz
  • 415
  • 2
  • 5
  • 17
  • 1
    you haven't asked a question –  Dec 29 '15 at 05:39
  • Indeed! But `My current plan is to generate the string with a base64 of (tempid + sessionid + userip + browser info + timestamp).` this is a very bad idea. Follow a similar model to [remember me cookies](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2.1) instead. – Scott Arciszewski Dec 29 '15 at 13:45
  • I have restated my question. I just wanted to know the accepted method for this type of validation. – ShadowZzz Dec 29 '15 at 17:35

0 Answers0