[drupal-devel] remote auth and required email/password fields

Gerhard Killesreiter killesreiter at physik.uni-freiburg.de
Wed Mar 16 17:37:47 UTC 2005

On Wed, 16 Mar 2005, Vladimir Zlatanov wrote:

> > An idea (proposed by somebody else) for secure remote auth would be to
> > let the user authenticate at the "home server" and only send a "yes" or
> > "no" to the remote server. The remote server would pass the session ID
> > along and get it back if authentication was succesfull. I am not
> > completely sure, if this process is safe from exploits, though.

> It is not safe for a 'man in the middle' exploits. If somebody
> manages to pretend to be the 'home server', the they rule.

Yeah, I guess.

> It is possible though, to devise a scheme which can avoid that,
> something along the lines:

> prerequisite - some form of trust established between remote and
> home, preferably some form of signing the messages.

I was actually thinking to use gpg keys to do the encryption I spoke
about. "Unfortunately" all the sites I would want to have in a trusted
network will run on the same server and so I will simply share the user
table. So I will not code this.


More information about the drupal-devel mailing list