[drupal-devel] remote auth and required email/password fields
Gerhard Killesreiter
killesreiter at physik.uni-freiburg.de
Wed Mar 16 17:37:47 UTC 2005
On Wed, 16 Mar 2005, Vladimir Zlatanov wrote:
> > An idea (proposed by somebody else) for secure remote auth would be to
> > let the user authenticate at the "home server" and only send a "yes" or
> > "no" to the remote server. The remote server would pass the session ID
> > along and get it back if authentication was succesfull. I am not
> > completely sure, if this process is safe from exploits, though.
> It is not safe for a 'man in the middle' exploits. If somebody
> manages to pretend to be the 'home server', the they rule.
Yeah, I guess.
> It is possible though, to devise a scheme which can avoid that,
> something along the lines:
> prerequisite - some form of trust established between remote and
> home, preferably some form of signing the messages.
I was actually thinking to use gpg keys to do the encryption I spoke
about. "Unfortunately" all the sites I would want to have in a trusted
network will run on the same server and so I will simply share the user
table. So I will not code this.
Cheers,
Gerhard
More information about the drupal-devel
mailing list