Quoting Me <wphewitt@attbi.com>:
What I am trying to do is use authentication over a secured channel to determine an enduser and their roles *without* asking them to login in again..... I know from the HTTP_REFER variable that they have already validated and I dont wnat to make them login in again.....
As I'm sure someone will point out, this is ludicrously insecure. The HTTP_REFERER variable is sent from the client, and as such can be changed, and you "login" can be spoofed. I recommend looking into the various auth products (exUserFolder being my personal favourite) and if you *must* have some kind of cross-site login, do something with (secure) cookies.
If anyone has any slick suggestion on how I might do this easily, I would greatly appreciate it...
I'm not really sure how SSL and authentication are related unless: 1) You're doing client SSL certificate auth - which is very interesting 2) You want to protect the initial username/password data, which is fine but hardly novel. What you sound like you want to do (common authentication between two sites) is something like passport.com, which they do using an (albeit clever) cookie setup and HTTP redirects. Some more details would help.
TIA
WPH
Cheers, Phil ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/