Let’s assume we have X applications – one ‘master’ and 2+ ‘slaves’.
Now, slaves run on subdomains, do hold all data and have little API (together with it’s own custom full CRUD administration)
Now, on the domain, I would like to have one ‘master’ application running, which will take all data from all the subdomains (via API) and show it [only read & export access] in one place, so if you just want to view records and do exports, you can do all this via one webapp for each subdomain.
However, when you need to edit data, you’ll need to login to subdomain applications and I would like to do this as seamless as possible, so one click login (‘edit this record in its application’) is what I would like to do, however, I would like to do this as safe as possible.
I’m thinking about POSTing SHA1(login + safe phrase) and referrer check [this also in some of the vital API calls], I’m just not sure if it’s the safest possible option (also, we may introduce SSL layer afterwards, but should not interfer with this in any way).
So is there any better option?
Don’t use SHA1, use SHA512 if you can. Also, a nonce system might be good to implement:
Cryptographic nonce