Results 1 to 6 of 6
  1. #1

    3rd Party Password Protection: Is it possible?

    Greetings everyone,

    I want to create a third party login system (let's call it SuperPass)that gives users access to member sites.

    Hence a user can go to any of the member sites, login in using the same username and password and hence gain access to the content.

    I have seen it done on some sites. How is it done and how come it doesn't keep asking users to login for every page they view?

    Thanks in advance

  2. #2
    Write a script that authenticates against a centralized username/password database. So you can deploy this authentication scheme across multiple sites/servers and users still maintain the same username/password.

  3. #3
    Join Date
    Aug 2002
    Location
    Chicago, IL, United States
    Posts
    64
    sometimes it is a better option to go with the more proven password protection solutions then go out and make your own. the more public ones have been tested re-tested and prob. and have a better infrastructure for patching bugs.

    if you are going to make your own, you should be careful
    Anthony LaMantia
    http://www.bia-security.com

  4. #4
    Thanks for the replies guys.

    I still don't know how the password systems don't ask the user to login at every page. Do they use cookies or what? Are there alternatives (in case user switches off cookies)?

    BiaSecurity, which 'proven password protection solutions' are you talking about? Please can you provide me with links.

    Thanks in advance

  5. #5
    Join Date
    Aug 2002
    Location
    Chicago, IL, United States
    Posts
    64
    i would assume for what you want the sql database would have entries for time-expire username password,ip address(for extra security) and a password hash of sorts that would be passed to a cookie. then when you ask for the cookie you would have to check it with the database to see if it is to be allowed.. what i mean by proven password protection solutions is if you are unsure about how to security implement this you should look into a password protection package that is open-source of commercial i will get some links in a bit when i have some more time
    Anthony LaMantia
    http://www.bia-security.com

  6. #6
    Join Date
    Sep 2002
    Location
    Dallas, TX
    Posts
    205
    Sessions can be propogated in one of two ways; either by cookies or by URL rewriting. Basically, your store the session ID in the cookie, or it is appended at the end of *EVERY* URL the user requests.

    The session stores are not usually SQL based. Unless you want sessions to propogate across multiple web servers, you don't need a centralized session store like a SQL database. Typically, session information is stored in a file, or sometimes in the Windows registry (on the server). SQL session stores are very slow, comparitively speaking.

    Typically, the programming language you are using has a way of abstracting all of this. All you need to know is how to set and retrieve session values. How they are stored is of little consequence in most cases.

    In your scenario, once a user provides the correct login information, you would simply set a session flag, maybe "isLoggedIn = true." Each page can check for this value and as long as it's true, you can assume the user has been successfully authenticated. A lot of things can be added to this, such as multiple security levels (guest, user, administrator, etc.).
    justin 'at' abrogo.com
    http://www.abrogo.com
    Shared Unix Hosting

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •