[Owasp-austin] Question to the app security smartypants (plural)

Ernest Mueller Ernest.Mueller at ni.com
Thu Nov 1 16:33:30 EDT 2007


I thought I'd use this list for a little discussion to get people's juices
flowing!

So, question.  I have a Web site that needs to integrate its custom login
procedures with various ASPs - in other words, we have a Web site login.
As we "outsource" parts of our Web site, we want users to be able to log in
and go to site sections really hosted on ASPs and be "logged in".

What's the "industry standard" secure ways of doing this?  I have
programmers talking about all kinds of crazy solutions; spoofing setting of
cookies, puting junk in URLs, etc.  I'm not sure what the canonical
solution is...

   Assume that the site and the ASP have different but fairly-standard
   login schemes (set a cookie, etc.)
   Assume that it could be the first time the ASP's heard of the user; the
   site doesn't pump all its user data to each partner proactively (meaning
   some data transfer needs to take place at the time).

Thoughts?

Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.



More information about the Owasp-austin mailing list