2 server one authenticated user

Question

This is going to be weird sorry and hopefully I'm posting it on the right website.

I got this question from an interview.

If I got two servers, one media and the other hosting a website that require user authentication.

The user have to login to the website hosted in one server before accessing the media server. Only authenticated user can access the media and the media server.

I'm not sure how to go about this via PHP? I believe I can do this via sys admin and setting up kerberos server a ticketing system. But for PHP I can only think of maybe some form for RSA public-private key encryption?

Another solutions/hacks was to create some kind of hash and append it to the URL.

Or

Check the user IP? everytime the user access the media file?

Note, the company I applied for, the manager didn't seem very skill at all. So maybe there is no safe solution?

Note:

I'm pretty sure I can't use PHP's session it's contained in a server? Perhaps a cookie? Is that even safe...

Thank you in advance.

Answer 1

This can be quite easy or quite hard: It depends, on whether the media server trusts the webserver or not.

Scenario 1: Media server trusts web server - easy

• Both maintain a shared secret (in the widest sense - can be be a public/private key pair)
• On login, the web server hands out a token to the client, that is signed or encrypted with the shared secret (or the part, the webserver holds)
• The client presents this token to the media server, which authenticates it via its copy (or part) of the shared secret
• Thus the media server is in a position for an access decision

Scenario 2: Media server does not trust web server - hard

• Mind, that you allways need some sort of pool of common trust
• this can be a distributed auth system, like Kerberos, OpenID, whatever

Answer 2

Use a common domain for both servers and then perform a domain level authentication with an encrypted cookie where both servers have the same private decryption key.