[Zope] redirect between domains & maintain login

Andreas Jung lists at andreas-jung.com
Thu Dec 23 15:00:32 EST 2004



--On Donnerstag, 23. Dezember 2004 11:47 Uhr -0800 Declan Shanaghy 
<declan at shanaghy.com> wrote:

> I have set up a portal of shopping sites.
> Each merchant we support has their own domain set up.
>
> e.g.
>
> http://www.some-merchant.com
>
> Seeing as they are shopping sites certain pages have
> to be handled by SSL.
>
> Due to SSL limitations only 1 SSL domain +certificate
> can exist per ip, and we only have 1 ip.  Therefore my
> solution is that for non SSL pages the merchant can
> use their own unique domain name, but all SSL pages
> will be redirected to
>
> https://merchantname.portal.com and an SSL certificate
> is setup with a CN of *.portal.com
>
> A problem arises when switching between domains like
> this.  The login cookie is lost.  Curently i do a
> redirect between domains and include __ac_name and
> __ac_password arguments in the URL so the user stays
> logged in, but this causes the username and password
> to be displayed in the address bar in plain text.
>
> I'd like to secure this more.
>
> Is there any way that i could
>
> A - Encrypt __ac_name and __ac_password values?
>
> or
>
> B - Set the cookie for both domains so name and
> password dont have to be transferred?
>
>


We do something like that:

 - if the user visits site A then we assign the user a unique session ID 
*and*
    store the __ac cookie on the server side as part of the session info

 - if the user visits site B and the session ID must be passed somehow to 
site B.
     site B then takes the __ac info stored on the server and sends a 
setCookie('__ac',...)
     header to the client

This works only if you can share session informations between sites however 
this approach
might be a bit insecure. At least it works for us within an in-house 
application.

-aj



More information about the Zope mailing list