I have a site which offers help information for users of a much larger application. Until recently both my help site and the main application were behind a corporate firewall. Now that the main application has been moved outside the firewall, I’ll have to move my help site as well.
My only security requirement is that users reaching my help site are only permitted to enter if they clicked the ‘Help’ link in the main application. (Obviously the company doesn’t want them to have to enter their credentials again.) I don’t need to exchange information back and forth between the sites.
I have looked at $_SERVER[‘HTTP_REFERER’] (not secure), Oauth and OpenID (which seem like overkill). I’m wondering if the answer lies in one-way SSL authentication (the main app has a cert), but I’m gettting a little lost here.
So the question is: what is the simplest way to do this, and what would that look like in terms of Apache and PHP?
Thank you very much for any advice!
The link to help could contain a token string. When the user clicks the link, the help system sees that token and makes a web service call to your application asking if that token is valid. If the token is valid, then the web service responds in the affirmative and the help site lets the user in. You could have the token be valid only if that user is signed in. Additionally, you could encode the IP address of the client in the URL and verify that the person trying to enter the help system is from the same IP address. So like this:
That way you’ve made sure the client is the same one, and that they were logged in to the other site. Your communication between yoursite and help.yoursite will have to be secure. It’s a lot simpler than oauth, and even kinda follows a similar protocal, BUT it’s not as secure overall. There are still ways around it, but it’s all up to how much risk you’re willing to accept.