[Owasp-austin] Question to the app security smartypants (plural)

Zhang, Betty betty.zhang at hp.com
Tue Nov 6 10:39:32 EST 2007


Ernest,

In HP, an application does authorization, but NOT authentication.
Authentication is provided by a centralized service, which an
application has to program to use it.  This way, an application doesn't
involve in user account management (approval account or remove account
if a user leaves company), password length, complexity, expiration,
reset, etc.  

Thanks.
Betty

-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Ernest
Mueller
Sent: Thursday, November 01, 2007 3:34 PM
To: owasp-austin
Subject: [Owasp-austin] Question to the app security smartypants
(plural)


I thought I'd use this list for a little discussion to get people's
juices flowing!

So, question.  I have a Web site that needs to integrate its custom
login procedures with various ASPs - in other words, we have a Web site
login.
As we "outsource" parts of our Web site, we want users to be able to log
in and go to site sections really hosted on ASPs and be "logged in".

What's the "industry standard" secure ways of doing this?  I have
programmers talking about all kinds of crazy solutions; spoofing setting
of cookies, puting junk in URLs, etc.  I'm not sure what the canonical
solution is...

   Assume that the site and the ASP have different but fairly-standard
   login schemes (set a cookie, etc.)
   Assume that it could be the first time the ASP's heard of the user;
the
   site doesn't pump all its user data to each partner proactively
(meaning
   some data transfer needs to take place at the time).

Thoughts?

Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of this IMPORTANT information
is ENCOURAGED.

_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin


More information about the Owasp-austin mailing list