php - auto login by requesting security token -


scenario:

clientwebsite can accessed when user has security card inserted pc. clientwebsite outside of control, w/ security card.

i developed js web app requires username/password. system requests security token, , if provided credentials valid, token returned , appended requests url parameter. token valid 60 mins.

the sys admin of clientwebsite wants put link js app on secured site. if able view clientwebsite, allowed view js app, , after following link, should not have login again.

i had sys admin insert test link point page on our server , execute js/jquery retrieve http referrer, blank. conclusion -- our client's browsers have referrer disabled, or clientwebsite configured in way disables sending referrer. not surprising, secure site least.

it easy request security token via ajax/php before leaving clientwebsite (i provide code sys admin put in clientwebsite). method use hard coded credentials in php script, return/append token link it's available when arriving @ js app. js app check token's validity, , if ok, login suppressed on js app.

problem:

someone c/p ajax call clientwebsite, run outside of clientwebsite, obtain token, pass token else use access js app.

question:

i'd check referrer in php script, issue token if referrer matches clientwebsite, no referrer being sent & referrer can spoofed anyway. other method use determine request token coming clientwebsite page?

thanks!!

edit:

supply sys admin ajax call so:

$('#jsapplink').click(function(e){     e.preventdefault();     var currenthref = $(this).attr('href');     $.ajax({         "type":"post",         "datatype": "jsonp",         "url": "https://mydomain.com/gettokenusingcurl.php",         "success": function (returndata){             newhref = currenthref + "?token=" + returndata.token;             window.location = newhref;         }     }) })

onclick, php script on server queried. script contains hard coded creds. out of public view. return token clientwebsite, append js app url, continue link click routing user js app.

there 2 layers of defense need prevent style of attack.

the first use ssl prevent attackers off-system intercepting transmission , getting token. sounds may doing potentially (referrers blank ssl enabled pages).

the second introduce randomizing component (to differentiate requests each other) , identifying component (to identify user) token.

so, can have clientwebsite issue back-channel request server token. in request, should include remote ip of user, , should validate request coming clientwebsite's servers.

then, instead of returning token directly, encrypt using random nonce. associate nonce in database provided remote ip of user.

now, when browser makes request site, passes encrypted token. lookup key remote ip of user (remote_addr) , decrypt it.

it prevents replay attacks, since require ip spoofing able so. careful if proxies involved, complicate things (and proxy trusted instead of user).

this reminiscent how oauth1 works, except orientation of trust reversed (the client server auth source of record, in oauth authentication server auth source)...

/---------\            /---------------\           /-------------\ | browser | ---------> | clientwebsite |    ip     | server | |         |            |    server     | --------> |             | |         |            |               | encrypted |             | |         |            |               |   token   |             | |         |            |               | <-------- |             | |         |  encrypted |               |           |             | |         |    token   |               |           |             | |         | <--------- |               |           |             | |         |            \---------------/           |             | |         |                                        |             | |         |             encrypted token            |             | |         | -------------------------------------> |             | |         |                                        |             | |         |             session start              |             | |         | <------------------------------------- |             | \---------/                                        \-------------/

it's secure because way generate encrypted token (encrypted strong random key, never leaves server) make request clientwebsite's server (because you're verifying request came server directly, via back-channel).


Comments

Post a Comment

Popular posts from this blog

monitor web browser programmatically in Android? -

i've got tricky question here. need users make payment bank (namely barclaycard) in uk. so, have https url , add parameters (such amount pay, order reference, etc) url, start http connection intent.actionview, redirect user browser can enter credit card details on bank's webpage , make payment our account successfully. far ? the code use below (i changed values privacy reasons) problem is, need app when user has completed/failed/cancelled payment. barclaycardautomatically redirects particular url when payment has succeeded, 1 if failed. there no way of knowing when barclaycard payment has succeeded go android app somehow ? button cardbutton = (button) findviewbyid(r.id.card_button); cardbutton.setonclicklistener(new view.onclicklistener() { @override public void onclick(view arg0) { string prehashstring = new string(); string prohashstring = new string(); string shapassphrase = new string(); shapassphrase = "gsvth£h70zkh...
Read more

ios - iPhone/iPad different view orientations in different views , and apple approval process -

i force app's home screen portrait , other views landscape. apple rejects app if this? if not , how force first screen launch in portrait mode? , force other screens launch in landscape. this not duplicate question search every possible answer in website. i force app's home screen portrait , other views landscape. apple rejects app if this? no apple not reject app this. have lot of apps doesn't support orientation. forcing on 1 screen won't cause app reject. if not , how force first screen launch in portrait mode? , force other screens launch in landscape. can on write : -(nsuinteger)supportedinterfaceorientations; function.
Read more

Shrink a YouTube video to responsive width -

i have youtube video embedded on our website , when shrink screen tablet or phone sizes stops shrinking @ around 560px in width. standard youtube videos or there can add code make go smaller? you can make youtube videos responsive css. wrap iframe in div class of "videowrapper" , apply following styles: .videowrapper { float: none; clear: both; width: 100%; position: relative; padding-bottom: 56.25%; padding-top: 25px; height: 0; } .videowrapper iframe { position: absolute; top: 0; left: 0; width: 100%; height: 100%; } the .videowrapper div should inside responsive element. padding on .videowrapper necessary keep video collapsing. may have tweak numbers depending upon layout.
Read more