Trusted Shared Authentication
Amit Muthu
amit at venda.com
Wed Jul 30 15:33:44 BST 2008
Jason Tang wrote:
> Overview:
>
> We have web apps X and Y and they share the table that allows you to map
> a
> username to an id and also to ldap. Apps X and Y are different webapps
> that
> provide different functionality and is intentionally seperated. However
> there's
> a requirement that a user that can authenticate on one app can click
> through
> to the other without the need to reauthenticate.
>
If you end up going with the click through URLs you probably want them
to be unpredictable AND (in order of preference):
* single use
or:
* usable for n minutes
or at the very least:
* valid only while the credentials used to do the original
authentication remain valid (changing your password should invalidate
any previously generated links relating to your account)
Amit
More information about the london.pm
mailing list