I have Site A on Server A with a static IP (ASP backend) I'm planning to build Site B on Server B (PHP backend) Site B will manage the user lists for Site A. Users are added to the system manually by a central admin team. Online registration is not a requirement. Users who login to Site A will need to be validated against the list at Site B. Is there a recommended method of doing this? My thoughts were that: Site A could send a request to Site B which would include an encrypted username and password the ip of the requesting site would be matched against the known, static IP of Site A, no match, no validation check the username and password would be validated against Site B's database. the validation result would be returned as a simple text string to Site A the user would be given access to Site A. Any other techniques, security tricks I could utilise?
Well, if it's already been decided that you have to do it this way (with 2 servers), there are some things you can do to make it more secure. Like you mention, only accept requests from server A's IP. Then to make sending the username/password more secure, you have 2 requests. Server A sends a request to Server B "Can I validate". If the request came from A's IP, Server B responds "Yes" along with a randomly generated number. That number is then used on Server A in part of the encryption algorithm, so that the encryption is different every time and Server A then sends the encrypted request to Server B. Server B then decrypts the request using the last generated random number, validates the user and sends back the response. This kind of setup is called challenge/response authentication and is faily secure and makes it a lot more complicated to try and break the encryption.
Thanks, that's a cool addition And yes, we do have to have the two servers. Right Royal Pain, but c'est la vie (cliches galore )
Use a centralised authentication DB (LDAP would be a nice fit here) and authenticate against that over TLS/SSL. No messing about with writing your own authentication schemes, keeps things nice and simple - you can even make Apache do the auth checking directly against LDAP.
Any useful resources or tutorials on that? I did a research thing at work on LDAP about 5 years ago and haven't looked at it since.
The Linux LDAP howto is probably the best place to start I'd be happy to set up a working LDAP installation and suitable schema for a fee, PM me if interested.
LDAP looks interesting, although I honestly hadn't seen it before. I'm always cautious about using a tool that I havn't mastered 100% and that's not 100% suited to the job at hand. After 1 minute of Googling, I'm not sure LDAP is really what is needed for this job, I'd say it's overkill, and sometimes really good programs when they're misconfigured or not used right, can leave gaping security holes. I'd still be inclined to homebrew a simple authentication system tailor-made for this application and use SSL as an extra layer of security.
LDAP is well suited to this task because it provides easy extensibility. Once you've set it up there's nothing more to do should server C also need to access the database. You're re-using a well known code base, which always has to be preferable to coding your own (potentially flawed) solution.