Cross logins
James A. Donald
jamesd at echeque.com
Wed Aug 3 18:15:00 EDT 2005
--
Is it possible for two web sites to arrange for cross
logins?
The goal is that if someone is logged into website
https://A.com as user127, and then browses to
https://B.com/A_com_registrants, he will be
automatically logged in on b.com as user127 at A.com
Inventing a protocol off the spur of the moment, and the
seat of my pants, which is a good way to get shot down
in flames, the B.com web page would access a resource
whose url is the on A.com web site, the url containing a
representation of the browser's current B.com cookie.
User127's browser would access that resource, sending
the A.com cookie, the A.com web site would then signal
B.com that the browser with that B.com cookie is
currently logged into A.com as user127
One obvious flaw in this scheme is that *automatic*
login leaks information - users can be logged in without
them knowing it.
So another solution is that the B.com login link is
actually a link to the A.com web site, with a transient
public key encoded in the url. A.com looks at the
referring url, and tells user "<referral URL> wants to
identify you as an A.com subscriber. Do you want to
login to <referral url> as user127 at a.com?" If user says
yes, then A.com sends his browser a redirect to B.com
with an encrypted message in the URL to B.com saying
"This guy is user127 at A.com". To avoid replay attacks,
public key should change every time - public key should
change with the browser cookie used by B.com
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
kwlCI6Mq0EaMdsYIBsG4HSSU/4ClkoGzJaqI/la0
4fWyITvZRCkgtoqZc3tjKLElzZH7CStTwrq8OxcvR
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list