authentication - Auto login user to third party site without showing a password to him -

-

background

We are unifying third party email solutions in our site. When a user goes to the Mail page, then it must be automatically authenticated on the mail site.

For now, our page has mail link points which automatically submits a form with the user's login and password by clicking Submit After the user is redirected to the mail site with the certification cookie.

The problem with this approach is that we do not want the user to see their mail password, because we automatically generate it for ourselves and some prudent reasons to show it Are not for

Question

Is there a way to get mail authentication cookies without sending the login information to the client and doing the form.submit operation from the client's browser Are you Is there a better way to do this, what am I trying to do?

Edit

Of course "I'm trying to programmatize it". It seems that the client does not have any valid solution except these logins / passwords. It seems that we have to admit that the user can see his mail password and in any way make sure that he can not use this information to change the password of any other value that we do not know.

edit: I did not read the post correctly, I thought it was Was trying to enter a remote mail application, which was not hosted on its own server. Do not ignore this answer.

When you log into the remote third party mail website, they make cookies (since HTTP is stateless, this is the only way a user knows that unless he stores Some type of session ID in the URL). When you send the user to that site, the site needs to authenticate the user. Even if you have logged in with your application and have caught a cookie, then you can set a cookie on the user's browser for other websites. The only way to do this is to work on a third party website that you can develop to some extent, or they allow you to use session IDs in the URL.

Possible solutions but there is a security risk If they allow you to set session_ID in the URL (for example PHP, PHPSIDAD), you can catch session IDs And you can add it to the URL when sending to the user. I really do not like this idea because if the user clicks on a link in the e-mail, then the new page will be able to check in the context and see its session ID in the URL. This can be a major security risk.


Comments

Post a Comment

Popular posts from this blog

c# - How to capture HTTP packet with SharpPcap -

-
I would like to capture all incoming HTTP packets on my machine. To do this, I am using SharpPcap which is a WinPcap The cover is. SharpPcap works very well, but it captures TCP packets and what it wants to do for me is a very low level. Does anyone know how can I easily get full HTTP requests / reactions from all these TCP packets? Thanks SharpPcap is already able to capture the packet in the same way That's what the virus does (just in the code instead of the GUI). And you can either either parse them directly or you can put them in the drive in the common .pcap file format. The steps to parse the capture are: Open a connection at any time Loop a while Or start capturing using an event callback Parsing the raw packet for the type you want If you are reading .PPP dump files In addition to calling you an offline capture reader is almost the same, there is no need to select an interface, and you can set the majority There is no need to do the modes. All st...
Read more

php - Multiple Select with Explode: only returns the word "Array" -

-
By using Wordpress I have created a multiple selection box so that users can select categories to exclude. When the page is initially loaded, I see my predefined default option. However, when I select a new value and I save ... I only see the word "Array" and have not chosen anything else? & lt; Class = "amultiple" id = "& lt; php echo $ value ['id'] ;? gt;" name = "& gt; php echo $ value ['id'] ;; gt; []" Multiple = "multiple" size = "8" & gt; & Lt ;? Php global option; Foreign currency ($ value as value $) {if (get_settings ($ value ['id']) === FALSE {$$ value ['id'] = $ value ['std']; } And {$$ value ['id'] = get_settings ($ value ['id']); }} $ Ranges = & amp; Amp; Categories ('type = post & orderbiz = name & amp; hide_empty = 1'); If ($ ranges) {$ ex_cat = implode (',', $ tt_cat_exclude); Forex Currency ($ range a...
Read more

php - jQuery AJAX Post not working -

-
I do not understand why this script does not work. It has something to do within AJAX PostScript / Function. Right now, when I submit my form, it runs php code on the same page. What it should do, send the values ​​of the form for Project_Azax.fp, then there will be a refund of success on the page which is correct or false. $ (document) .ready (function () {$ ('div # didIt'). Hide (); $ ('form [name = adminForm]'). Submit (function () ($ {'.post' ('/ project_ajax.php', {action: $ ('[name = action]') Val (), pId: $ ('[name = pId]'). Val (), name ('[Name = name]'. Val (), url: $ ('[url = url]'). Val (), summary: ('[summary = summary]'). Val ()}, Function (data) {if (data.success) {$ ('div # didIt') .Sliddown ('slow');} and {warning ('unsuccessful SA!');}}, 'Jason'); return false ;});}); What is the code for project_ajax.php below ... if ($ _ POST ['action'] == ...
Read more