?
Solved

authentication via link from specific site

Posted on 2006-11-09
8
Medium Priority
?
208 Views
Last Modified: 2013-12-24
Hi,

I have a client that wants our company to set up a link to access directly a secure area in our web site with:
1) only links coming from their site will be accepted (say www.clientssite.com)
2) all the logging informatoin has to be in the link and ecrypted

I know it's a two part question & if it gets too complicated instead of splitting the points I could open a second one for part two.

any suggestion to get started?
0
Comment
Question by:Shawn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17913460
As far as only links coming from their site, you can looks at your CGI scope for the referer.  If it doesn't start with www.clientsite.com, reject it.  Problems: This relies on your website and the clients browser to support this.  Most do, but something to think about.  Also, since this is browser based, a user could potentially fake it.

Do you mean login information (not logging?)?  In either case, you just need to each decide how this information should be encrypted.  There are CF encrypt functions, you can hash, or you can come up with your own type of encryption.
0
 
LVL 7

Expert Comment

by:ExpertAdmin
ID: 17914468
I would handle the "allow" part with the web server itself. For example, in IIS you can set an allow list by IP or domain name.

As far as encrypting the information in the URL, that is only going to be as good as your encryption routine. Keep in mind also that some browsers limit the length of the URL, so you could run into problems there.

I would look at some sample encryption scripts. Your best bet will probably be to create a function that runs a block of Java code to do the encryption and unencryption. There may even be some encryption support built into Java, which would simplify things a lot.

You may also be able to use CFENCRYPT. Here is a thread about it:

http://www.experts-exchange.com/Web/WebDevSoftware/ColdFusion/Q_21702753.html

M@
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 2000 total points
ID: 17914746

 For #2)  This sounds like a single sign-on type setup.   If so, I've done it a bit diferrent way that I have done this is to pass the user ID and a hash value instead of the username and password.  This of course, presumes that the user ID can be determined from both sides.   So here's how it works...

  User logins in and is validated, his unique ID is hashed together with his password and a secret keyword both sides know.   These two values are passed.

  id=123&h=AKJGHS09843LKJLKJ987LAKGLKMN6879KHLLKK

 On the secure side, the user ID is looked up and the hash passed in is compared with the hashing of the user id along with the password and the secret keyword.  

 This can't be decrypted.

 By the way, the secret keyword could be some type of date/time so that it changes frequently

 This may not work in your situation, but thought I would suggest it in case...

0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17915012
Regarding letting IIS handle this, the IIS IP and Domain Restrictions are based on the clients IP or domain, and not the referring site, so this will not work in this situation.
0
 
LVL 1

Author Comment

by:Shawn
ID: 18125171
Hi,

I'm actually still working on it & would like you to keep it open for a little while. I'll add more comments within te next week.

thank you, Shawn
0
 
LVL 1

Author Comment

by:Shawn
ID: 18282105
I used a similar solution to gdemaria  (thank you)...a link with a key, expiry date, and an email to me for testing puposes.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month10 days, 2 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question