[Zope] redirect between domains & maintain login
Andreas Jung
lists at andreas-jung.com
Thu Dec 23 15:00:32 EST 2004
--On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800 Declan Shanaghy
<declan at shanaghy.com> wrote:
> I have set up a portal of shopping sites.
> Each merchant we support has their own domain set up.
>
> e.g.
>
> http://www.some-merchant.com
>
> Seeing as they are shopping sites certain pages have
> to be handled by SSL.
>
> Due to SSL limitations only 1 SSL domain +certificate
> can exist per ip, and we only have 1 ip. Therefore my
> solution is that for non SSL pages the merchant can
> use their own unique domain name, but all SSL pages
> will be redirected to
>
> https://merchantname.portal.com and an SSL certificate
> is setup with a CN of *.portal.com
>
> A problem arises when switching between domains like
> this. The login cookie is lost. Curently i do a
> redirect between domains and include __ac_name and
> __ac_password arguments in the URL so the user stays
> logged in, but this causes the username and password
> to be displayed in the address bar in plain text.
>
> I'd like to secure this more.
>
> Is there any way that i could
>
> A - Encrypt __ac_name and __ac_password values?
>
> or
>
> B - Set the cookie for both domains so name and
> password dont have to be transferred?
>
>
We do something like that:
- if the user visits site A then we assign the user a unique session ID
*and*
store the __ac cookie on the server side as part of the session info
- if the user visits site B and the session ID must be passed somehow to
site B.
site B then takes the __ac info stored on the server and sends a
setCookie('__ac',...)
header to the client
This works only if you can share session informations between sites however
this approach
might be a bit insecure. At least it works for us within an in-house
application.
-aj
More information about the Zope
mailing list