I have a public facing web page in .Net that I would like to put anchor tags in that go to a web page produced by a Java server in my distributed system. For example, Bob logs in from the WWW and goes to the home page. I would like to have a link to http://javaserver/form.jsp?username:Bob in the home page. But that would be insecure if someone on the internal network was snooping. They could just put in that url and act as Bob through a replay attack. Encoding the username is also open to a replay attack. Any ideas?
Thanks!
https://javaserver/form.jsp?username:Bob still opens me to a replay attack by just putting in that url.
httpson the public and the private serversThe random token should be created with a cryptographically secure random number generator. It should also be changed/invalidated after a certain amount of time. If you are going to delegate the verification to the public server, you will also need to authenticate the delegating (local) server in a secure manner. To prevent brute-force attacks, block repeated invalid attempts.
There are quite a few pitfalls, so be wary of implementing any sort of security mechanism yourself.