Trusted Shared Authentication
dragor at jml.net
Wed Jul 30 14:46:11 BST 2008
We have web apps X and Y and they share the table that allows you to map
username to an id and also to ldap. Apps X and Y are different webapps
provide different functionality and is intentionally seperated. However
a requirement that a user that can authenticate on one app can click
to the other without the need to reauthenticate.
The easiest solution I can think of is to provide a link on app X that
the user id over (possibly encoded to try avoid people playing with
within app Y check the referrer and that the user id exists. Then allow
to assume as that identity.
The other route I've thought about, but not done a huge amount of
into is to use someting like OpenID internally. This maybe overkill.
the 'trusted website' should be forced at an application level rather
having the user decide if they should or shouldn't.
A shared session is not a route we'd like to go down.
Anyone have interesting ideas to solve this?
Many thanks in advance
Jason Tang - email: jason at dragor.net - msn: jason-msn at dragor.net
More information about the london.pm