Solved

2 web servers: 1 provides authentication and serves a URL, which redirects the user to the 2nd where content is downloaded

Posted on 2011-02-26
6
337 Views
Last Modified: 2013-11-05
Have to design the security for 2 web servers in different locations. The first server authenticates a user and serves and URL, which redirects the user to the second server where content is downloaded. It seems this solution requires session identification, whether included as part of the URL or sent as a secure HTTP cookie in the response header. Is this the best way to authenticate the user on the second system? If so, how would the first system send this session information to the second server to allow authentication to occur? in researching, it seems SOAP calls from the first system to the second may be a way to accomplish this. Obviously, SSL/TLS would be used to encrypt the SOAP calls. Can anyone let me know if this is the correct design of these systems? If not, any other ways?
0
Comment
Question by:krella
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 4

Expert Comment

by:LAMASE
ID: 34989167
Soap, is ok, you can even use direct database calls with sql server accessible only by server1 IP.
You can put some data inside a table, like hash, ip, file.... then  you redirect the user to server2/page.php?auth=xxxxxxxxxx

page.php checks the data in the database for that record, gives back a cookie to the user (if not already set) and should check the ip address or date to prevent forther uses of the final url.
0
 

Author Comment

by:krella
ID: 34989309
Thanks for getting back to me. Would I need to manually create a single user on both systems? Would the username / password need to present on both server 1 and server 2? Or using SOAP, could server 1 pass a security token and / or username token to server 2, which would automatically authenticate the user to server 2, allowing him or her to download the content needed?
0
 
LVL 4

Accepted Solution

by:
LAMASE earned 500 total points
ID: 34989325
For a simpler way, if server2 should only output the file, you can pass data encrypted with a secret salt (shared by the two servers) in the url, the decode it on the other side to verify. You can encrypt for example the filename, the ip address and the timestamp, then verify everything before ouput the content.

It will looks like
encrypt data with salt "secret"
show the url "download.php?get=xxxxxxxxxxxx"

On the other side
pseudocode:
decrypt the parameter with salt "secret"
check timestamp, ip, other...
output file if ok
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 
LVL 4

Expert Comment

by:LAMASE
ID: 34989330
Thanks for getting back to me. Would I need to manually create a single user on both systems? Would the username / password need to present on both server 1 and server 2? Or using SOAP, could server 1 pass a security token and / or username token to server 2, which would automatically authenticate the user to server 2, allowing him or her to download the content needed?

Depends on what you need to do: server2 has navigable webpages?

With my second example you don't need anything on server2... but don't know your website logic
0
 

Author Comment

by:krella
ID: 34989370
Using your example, I know with SOAP you can pass a security token or salt, that the server 2 can use to authenticate the user. If I do not wish to create user accounts on server 2, what type of logic would be needed on server 2 to authenticate the user? Obviously server 2 would need to validate the security token. Would server 2 need a database of hashes where the security tokens are validated?
0
 
LVL 4

Expert Comment

by:LAMASE
ID: 34989441
The fact that the encrypted data is valid (according to the secret salt) is a signal that comes from a trusted source. This can be a quick&dirty way to autenticate.
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
CTAs encourage people to do something specific to show interest in your company, product or service. Keep reading to learn why CTAs should always be thought of as extremely important, albeit small, sections of websites.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question