Reputation: 3002
Best way to safe pass username to other site
I have 1 legacy site and the other new.
The new site will be embedded into legacy site as an iframe.
In the new site I know the list of users registered in legacy site.
I want to know which user is opening my page, registered and logged in the legacy site.
What is the best way to pass username to new site from old site in HTTP URL with knowing that it is safe?
I was thinking about passing as GET parameter encrypted data, which will be decrypted in new site. This data would contain username and timestamp and salt. In new site I will check if username is in my list of registered users, and I will grant acces for a particular time. Is that a secure way?
There is only HTTP without SSL.
Upvotes: 0
Views: 162
Answers (3)
Reputation: 23436
Sticking user info in the URL of a GET request may be safe if encrypted, it will ruin your caching as now the same page has a different URL for different users.
The thing that doesn't sound safe to me is that if both sites are served over HTTP, then the user could not have logged in safely to the old site. All traffic is in the clear and susceptible to eavesdropping.
I would recommend moving your site to HTTPS for both sites. If the sites are hosted on the same domain, you can set a cookie identifying the user that will work for both sites.
Even better would be to move to some social authentication provider like Facebook or Microsoft Live Id and avoid storing user passwords all together.
Upvotes: 0
Reputation: 2165
You should use POST whenever you transmit secure data over HTTP , not because it provides any additional security over GET , but will avoid logging the sensitive info in Browser history and server logs.
Also instead of sending the encrypted credentials over HTTP you could generate some kind of Token out of it and pass it across which can be verified at the receiver end.
Upvotes: 1
Reputation: 89
It looks pretty safe to me. You are delegating authentication to your new site and just signaling the old one. That should be safe provided your encryption method is.
Using salt and timestamp will take care of replay attacks, so I don't see any vulnerabilities in the method you propose, if you choose a safe encryption method, that is.
Upvotes: 0
Related Questions
- Proper way to send username and password from client to server
- passing username and password to the server in a secure way
- Logging in to a website from another website without using a database
- What is the best way to send web form authentication data over HTTP?
- Granting Secure Access from one website to another
- How to implement auth cross site?
- Securely send data over HTTP across domains
- How to pass login credentials from foo.com to bar.com securely?
- pass secure information from one server to another
- How to pass credentials securely in a http url?