Trusted Shared Authentication

Amit Muthu amit at
Wed Jul 30 15:33:44 BST 2008

Jason Tang wrote:
> Overview:
> We have web apps X and Y and they share the table that allows you to map
> a
> username to an id and also to ldap. Apps X and Y are different webapps
> that
> provide different functionality and is intentionally seperated. However
> there's
> a requirement that a user that can authenticate on one app can click
> through
> to the other without the need to reauthenticate.
If you end up going with the click through URLs you probably want them 
to be unpredictable AND (in order of preference):

 * single use


 * usable for n minutes

or at the very least:

 * valid only while the credentials used to do the original 
authentication remain valid (changing your password should invalidate 
any previously generated links relating to your account)


More information about the mailing list