Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

2 web servers: 1 provides authentication and serves a URL, which redirects the user to the 2nd where content is downloaded

Posted on 2011-02-26
6
Medium Priority
?
340 Views
Last Modified: 2013-11-05
Have to design the security for 2 web servers in different locations. The first server authenticates a user and serves and URL, which redirects the user to the second server where content is downloaded. It seems this solution requires session identification, whether included as part of the URL or sent as a secure HTTP cookie in the response header. Is this the best way to authenticate the user on the second system? If so, how would the first system send this session information to the second server to allow authentication to occur? in researching, it seems SOAP calls from the first system to the second may be a way to accomplish this. Obviously, SSL/TLS would be used to encrypt the SOAP calls. Can anyone let me know if this is the correct design of these systems? If not, any other ways?
0
Comment
Question by:krella
  • 4
  • 2
6 Comments
 
LVL 4

Expert Comment

by:LAMASE
ID: 34989167
Soap, is ok, you can even use direct database calls with sql server accessible only by server1 IP.
You can put some data inside a table, like hash, ip, file.... then  you redirect the user to server2/page.php?auth=xxxxxxxxxx

page.php checks the data in the database for that record, gives back a cookie to the user (if not already set) and should check the ip address or date to prevent forther uses of the final url.
0
 

Author Comment

by:krella
ID: 34989309
Thanks for getting back to me. Would I need to manually create a single user on both systems? Would the username / password need to present on both server 1 and server 2? Or using SOAP, could server 1 pass a security token and / or username token to server 2, which would automatically authenticate the user to server 2, allowing him or her to download the content needed?
0
 
LVL 4

Accepted Solution

by:
LAMASE earned 2000 total points
ID: 34989325
For a simpler way, if server2 should only output the file, you can pass data encrypted with a secret salt (shared by the two servers) in the url, the decode it on the other side to verify. You can encrypt for example the filename, the ip address and the timestamp, then verify everything before ouput the content.

It will looks like
encrypt data with salt "secret"
show the url "download.php?get=xxxxxxxxxxxx"

On the other side
pseudocode:
decrypt the parameter with salt "secret"
check timestamp, ip, other...
output file if ok
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:LAMASE
ID: 34989330
Thanks for getting back to me. Would I need to manually create a single user on both systems? Would the username / password need to present on both server 1 and server 2? Or using SOAP, could server 1 pass a security token and / or username token to server 2, which would automatically authenticate the user to server 2, allowing him or her to download the content needed?

Depends on what you need to do: server2 has navigable webpages?

With my second example you don't need anything on server2... but don't know your website logic
0
 

Author Comment

by:krella
ID: 34989370
Using your example, I know with SOAP you can pass a security token or salt, that the server 2 can use to authenticate the user. If I do not wish to create user accounts on server 2, what type of logic would be needed on server 2 to authenticate the user? Obviously server 2 would need to validate the security token. Would server 2 need a database of hashes where the security tokens are validated?
0
 
LVL 4

Expert Comment

by:LAMASE
ID: 34989441
The fact that the encrypted data is valid (according to the secret salt) is a signal that comes from a trusted source. This can be a quick&dirty way to autenticate.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question