开发者

How to submit an HTML form to another domain with authentication

I have a website on Domain A that has a page with an html form that a user can enter a string into, which submits to Domain B.

The form currently contains a hidden in开发者_运维技巧put field with a name/value that Domain B uses to "authenticate"/identify Domain A.

Now, I'm primarily a C# coder with minimal web experience and even I know this isn't a secure way to do this.

What is the best way for a form on Domain A to submit to Domain B securely?

Some ways I've considered:

Have Domain B identify Domain A by domain name or IP. I suppose this would be better than a hidden input field, but domain name and IP could be spoofed, correct?

Have Domain A pass authentication credentials (user/pass for example) to Domain B via some other method besides a hidden field. Not sure how.

Edit

Another possibility: Create a private/public key. Have Domain A pass the private key to Domain B who validates using the public key, possibly via HTTPS. Not sure how Domain A would pass the private key without exposing it in the HTML. Ideas?


A hidden input with a value to authenticate the user CAN be a secure method depending on what the value is and how it's generated. You could have Domain A make an AJAX call to Domain B requesting a token which must be submitted along with the form.

This token should only be accepted only once by domain B and should also expire after a certain amount of time.

Finally, you can also send along an identifier for the user. This should be encrypted in some way for transfer. I would suggest either HMAC or public key encryption.

Option 2: Use OpenID ;)


I have done something similar in the past. This method is frowned-upon by most, but it has worked for me:

Define matching users on both domains. Give them both the same password (and you should probably set it to never expire).

Then, when you run your app in Domain A as this user, it will use pass-through authentication to authenticate on Domain B. You'll just need to make sure the user account has proper perms on both domains.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜