I have a website on Domain A that has a page with an html form that a user can enter a string into, which submits to Domain B.
The form currently contains a hidden input field with a name/value that Domain B uses to “authenticate”/identify Domain A.
Now, I’m primarily a C# coder with minimal web experience and even I know this isn’t a secure way to do this.
What is the best way for a form on Domain A to submit to Domain B securely?
Some ways I’ve considered:
Have Domain B identify Domain A by domain name or IP. I suppose this would be better than a hidden input field, but domain name and IP could be spoofed, correct?
Have Domain A pass authentication credentials (user/pass for example) to Domain B via some other method besides a hidden field. Not sure how.
Edit
Another possibility: Create a private/public key. Have Domain A pass the private key to Domain B who validates using the public key, possibly via HTTPS. Not sure how Domain A would pass the private key without exposing it in the HTML. Ideas?
A hidden input with a value to authenticate the user CAN be a secure method depending on what the value is and how it’s generated. You could have Domain A make an AJAX call to Domain B requesting a token which must be submitted along with the form.
This token should only be accepted only once by domain B and should also expire after a certain amount of time.
Finally, you can also send along an identifier for the user. This should be encrypted in some way for transfer. I would suggest either HMAC or public key encryption.
Option 2: Use OpenID 😉