Logging in users over multiple websites 1

[Biffy13]

Hi

Has anyone any ideas how I can achieve the following please?

My company has a number of partners and we all have our own websites which are hosted on completely seperate servers. Each also runs its own membership database. I require that a member can access any website by only having to log in the once. How can I achieve this?

Our website is run on Windows 2000 with IIS 5. It is currently in ASP though it is also setup for .NET (therefore a .NET solution would be okay). As for the other websites - they could be scripted in any language...

Thanks

 

[Veep]

If it's a private club the solution could be something as simple as...If the HTTP_REFERRER is in the club then let them in. You might want to add some secret-code to the end of a querystring as some backup validation. Or, everybody keeps a database of everybody else's memberships (and I don't think that is going to fly). Just an idea (before coffee)...

 

[shaddow]

Yes i think HTTP_REFERRER it's the best ideea to go for,
If HTTP_REFERRER is in the club then the user it's logged with what you send as a querry string
If not go and make an normal login page.

________
George, M

 

[Biffy13]

Thanks.

Didn't think of the HTTP_REFERER + querystring option - that might work as a solution. The only trouble is that they would always have to sign on on their specific website first, i.e. if they were a member of club 2 but they went to club 1's website and tried to login - they would be rejected as their login details would not exist on club 1's membership database.

I don't want to go the duplicating member records route as the maintenance on this would be one huge headache!

I was thinking possible of one login area which then sent them to the appropriate web page - but I would need something that could authenticate them to the other sites. A querystring, however random, is still interceptable. Not that any casual cracker would probably find anything of interest in the members area, it's still something that I must consider.

I also want each website to be able to identify each member by name, company, address etc. for which they would need to access the original database.

Would it be secure enough to allow remote access to a SQL database? Or is this kind of that I should be considering SOAP or web services for?

Thanks again.

 

[shaddow]

Well about the intercepting the query string. if it uses HTTP_REFERER you knw thet the call is from a secure place so no one can call your pages unless they have acces to your domains club.

Also you can make registering in 1 domain and from others just a simple redirect


Should be like.

This asp should be only in 1 domain

If Request.ServerVariables("HTTP_REFERER&quot not in domain then Response.End

If Request.ServerVariables("HTTP_REFERER&quot in domain then
loginData=Request.QueryString("loginData&quot

'sending user back from where he logged
Response.Redirect Request.ServerVariables("HTTP_REFERER&quot

Also loginData can be cripted or used just as an flag that tells you the user is OK

________
George, M

 

[Biffy13]

Thanks for all your help.

Still have further questions though!

Whilst I have all this redirect and referer business which means theoretically the user should get redirected to where they should be, there are still some problems as this relies on the members going to their club website in the first place.

If a member is from club 1 but doesn't go to club 1's website and instead goes straight to club 2's website and tries to login, club 2's website will reject him as it won't have him in it's database as he only exists in club 1's database. Make sense?

I also can't personalise club 1's website, if all the personal details exist in club 2's website. And I don't want to duplicate data as the maintenance would get out of hand.

I know I am probably talking myself into my own solution here but it is good to be able to share my thoughts with others (I am a lone developer and don't have any other webbie people to discuss this with!).

I need someway of being able to securely share the data between the websites. I think SQL allows remote access but I don't know anything about it or its security implications.

I am thinking along the lines of holding certain details such as login details and name in a SQL database and then allowing this to be shared between the club websites. I just don't know the best way to do this.

Ideally, I would have some kind of mechanism whereby each club maintains its own database and each other member in the club could query it. But as the club websites are not all on the same platform,. ie. Windows 2000 running IIS 5 written in ASP, I am not sure this could be achieved.

Am I digging a huge hole here...??

 

[Veep]

Are all the databases SQL Server? Then no problem. What are the other platforms? Everybody should be able to read an XML file.

 

[Biffy13]

I only know what my setup is (not very helpful I know!). I have a SQL database.

The others should be able to read XML as you say. Not knowing an awful lot about it, how would that help? I have to ensure that the membership details and login are kept secure at all times.

 

[shaddow]

If you have SQL7 you gonna use same database for all users, and make diferent setups (for example keep the user club access and setup in database) for each club for every user.
This way you will knw if an user can access a club.
You can check this information on the global login page and check this information each time an user changes clubs.
You can see if an user changes club by using HTTP_REFERRER.
- when an user has a valid referer you will check if he has rights on that club if not you'll redirect him to an page telling him that.
- if the user has empty HTTP_REFERRER then the user is already from the club and you dont need to check him again.

This is the way i see it working.

________
George, M

 

[Biffy13]

Thanks everyone for your help.

I have had another thought - how about this:

On my webserver I have SQL in which I set up a login database, with usernames and passwords and anything else necessary. This SQL database is restricted to the other club members only.

In this database, I duplicate the other club logins. Then, whenever the logins change or a membership expires, I request that when the concerned club site updates this on its database, it also adds in a script that remotely updates this information on my SQL database. (Or they could of course just use my SQL database as their login database). [Looking into security implications of all of this...]

Now, each club is assigned a permanent unique id (alphanumeric string). When a member logs into their club, the club website must create a unique session id which is then remotely added to that members record in my SQL database. Then, when they refer to our website, the club website must - via querystring - pass their unique id and the session id (encrypted) for that user.

I then check the unique id and REFERER values are valid for that club website (for double security). If these are okay, I decrypt the session id (we would have to use an agreed key) and then check for the session id in my SQL database. If it's there then they are automatically logged in, if it's not then they are prompted to login.

If they are logging in directly to my website, I already have their login details in my SQL database and so could validate them directly.

This means that they only have to log in the once and access to our website is enabled. And if the other clubs follow suit, the members could login to any club websites that they wanted to.

Can anyone see any flaws in this plan?

Thanks

 

[shaddow]

What can i say then good luck .

________
George, M

 

[Biffy13]

Thanks Shadow.

The only thing now is to test out my theory...