I want to have two servers, Server A and Server B. Server A does all the authentication (username and password). If the user is authenticated at Server A, then Server A will send POST data of a session id, ip address, useragent, etc. of the user. Server B will receive all this data over SSL and will trust Server A and give access to the user. Also, Server B will only accept POST data from Server A by means of Server A’s IP.
My question is, since the post data is sent over curl/ssl, can it be intercepted or stolen while in traffic? can the hacker view the session id in plain text(the most important component here)?
Is there anything I can do to increase the security of this method?
You do not want to implement this with PHP because this is easily achieved with webservers alone. Your Server A handling SSL (there is even hardware for that) can act as an Central Authentication Service and as a Reverse Proxy to Server B. It’s a common setup to divide responsibilites between servers. Research these topics please.
You can pick from a variety of solutions for this, ranging from a free solutions like nginx as a reverse proxy or commercial solutions like IBM’s WebSEAL, etc.
And yes, when you use SSL, it is secure enough (when in doubt, buy an audit).
On a sidenote, this question is probably better suited for serverfault.com.