Reputation: 422
Security and feasibility concerns with logging into another server through a Business Catalyst front end
I have a client that has chosen to use Business Catalyst for their public facing services, and they want to access roughly four different servers for various activities. The design team has put forth a requirement to be able to log into these various servers using unique login forms on Business Catalyst for each destination.
The first issue is in having a login form within an https page. Business Catalyst has "secure zones" which can be exposed to users that have already logged into Business Catalyst, and I believe there is a way to do so without login by opening up the secure zone to a range of IP addresses. That doesn't feel like a good faith move by any developer (the secure zone is an oxymoron if it has to be exposed to everybody), so let me know if that passes the insanity check. Having the user login to Business Catalyst just so they can login to one of the secure servers is not going to work from a UX perspective.
The second issue is that Business Catalyst states that it must be within a secure zone before it can do any work with the external tools I need it to work with. This might be solved by resolving the first issue, but this has more to do with form queries in general. I have content modules that need to query these servers, without login, to pull non-critical information down as a response.
I have performed a non-exhaustive search over this weekend to try and find a graceful solution to this challenge, but it doesn't appear to be something that Business Catalyst was designed to handle.
For those of you who TLDR;
- I need a secure way to login to 1 of 4 servers from Business Catalyst without login to Business Catalyst (Current implementation theory noted above).
- I need a way to query non-critical information responses from 1 of 4 servers, again without login to Business Catalyst (Such as returning cost estimate results).
- It is not acceptable to have the user login to Business Catalyst, just to pull queries or login to 1 of 4 servers.
- It may not be possible to allow a user to access the other servers using their Business Catalyst session handles.
Upvotes: 0
Views: 401
Answers (1)
Reputation: 18584
When user logs in to BC, he will get cookie in form VSVxxxxx, where xxxxxx is BC site ID. Content of cookie is hashed active session ID. Then BC exports two web service API - CRM and eCommerce. In CRM web service there's method Contact_IsLoggedIn, which take two parameters - user ID and session ID. Session ID is one from user VSVxxxxx cookie. It returns true/false, whether user is really logged in BC.
Note that BC have bit strange session handling... it lasts for 30min. no matter whether user clicks on site, or no.
Upvotes: 3
Related Questions
- How to implement SSO correctly with Frontend/Backend Architecture
- Secure communication between Web site and backend
- How to authenticated in an SAP hybrid app against SMP and a backend system with different users?
- Adobe Business Catalyst and Intranet Active Directory SSO integration
- Certificates/Keys exchange for a webpage
- How do you make Business Catalyst reroute to a separate login for each secure zone?
- Authentication between client-server and web applications
- See any security risks with this approach?
- Authenticating using pre-shared secret
- Securing communication between trusted servers in same hosting env