[Owasp-austin] Question to the app security smartypants (plural)
Ernest.Mueller at ni.com
Thu Nov 1 16:33:30 EDT 2007
I thought I'd use this list for a little discussion to get people's juices
So, question. I have a Web site that needs to integrate its custom login
procedures with various ASPs - in other words, we have a Web site login.
As we "outsource" parts of our Web site, we want users to be able to log in
and go to site sections really hosted on ASPs and be "logged in".
What's the "industry standard" secure ways of doing this? I have
programmers talking about all kinds of crazy solutions; spoofing setting of
cookies, puting junk in URLs, etc. I'm not sure what the canonical
Assume that the site and the ASP have different but fairly-standard
login schemes (set a cookie, etc.)
Assume that it could be the first time the ASP's heard of the user; the
site doesn't pump all its user data to each partner proactively (meaning
some data transfer needs to take place at the time).
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.
More information about the Owasp-austin