Can you test if a session is valid from a different domain?
Posted: Tue Apr 08, 2008 11:30 am
Hi! I'm pretty new to programming so would really appreciate some advice on whether something is possible without compromising security too much.
It's probably best if I start by explaining what I've got at the moment then describe what I would like to do:
I am building the website for a new non-profit organisation. At the moment there are a few pages for members only but nothing terribly vital so I am simply using the login system from our phpBB forum via the standard sessions integration (kb article on phpbb site) to test if the user is logged in before displaying the private content.
I now need to create a page where members can view and change the personal details we hold about them, including name, address, date of birth etc - in other words, no financial details but still data that should be kept private. However, we only have access to a shared secure server so the secure connection has to go through a different domain.
What I would like to happen is that visitors must log into the main site as usual before they can go to the private details page. If they are already logged in to the main site then they must simply re-authenticate themselves once (by giving the password again, or possibly a personal question & answer) when they arrive at the secure page. If they try to go straight to the secure url without logging in to the main site first they should be directed to the main site login page to sign in there before being redirected back to the secure page where they will still have to re-authenticate themselves. In other words, they always have to log in twice to see their details, once through the standard forum login and once through the secure connection (hope that makes sense!).
So (finally getting to the point), what I would like to know is:
1) Is the above situation possible, given that the forum session would be set through mydomain.com and the re-authentication would be by secure-server/mydomain.com?
2) Is what I've described appropriate or should I just ask visitors to log in once to the secure page and not bother about whether they're already logged into the main site?
3) If it is both possible and desirable, how can it be done?
btw, we have no money so a dedicated server or security certificate just for our domain is not an option.
I would be very grateful for any advice or suggestions,
Thanks
It's probably best if I start by explaining what I've got at the moment then describe what I would like to do:
I am building the website for a new non-profit organisation. At the moment there are a few pages for members only but nothing terribly vital so I am simply using the login system from our phpBB forum via the standard sessions integration (kb article on phpbb site) to test if the user is logged in before displaying the private content.
I now need to create a page where members can view and change the personal details we hold about them, including name, address, date of birth etc - in other words, no financial details but still data that should be kept private. However, we only have access to a shared secure server so the secure connection has to go through a different domain.
What I would like to happen is that visitors must log into the main site as usual before they can go to the private details page. If they are already logged in to the main site then they must simply re-authenticate themselves once (by giving the password again, or possibly a personal question & answer) when they arrive at the secure page. If they try to go straight to the secure url without logging in to the main site first they should be directed to the main site login page to sign in there before being redirected back to the secure page where they will still have to re-authenticate themselves. In other words, they always have to log in twice to see their details, once through the standard forum login and once through the secure connection (hope that makes sense!).
So (finally getting to the point), what I would like to know is:
1) Is the above situation possible, given that the forum session would be set through mydomain.com and the re-authentication would be by secure-server/mydomain.com?
2) Is what I've described appropriate or should I just ask visitors to log in once to the secure page and not bother about whether they're already logged into the main site?
3) If it is both possible and desirable, how can it be done?
btw, we have no money so a dedicated server or security certificate just for our domain is not an option.
I would be very grateful for any advice or suggestions,
Thanks