Home/ Questions/Q 6095211
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T12:47:13+00:00

There is website A, with its pool of users. There is a separate website

  • 0

There is website A, with its pool of users. There is a separate website B, which sells digital goods.

I want to allow users of website A to make a purchase from website B, without registering or visiting B.

Given that site A has an agreement with site B to pay the bill on a monthly basis, how can you authorize purchases without opening a vulnerability for malicious attackers?

The first solution which come to my mind, storing a master password to authorize single user purchase, is a security nightmare, but I can’t thing anything better. Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use SAML (http://en.wikipedia.org/wiki/SAML) for this purpose.

    Site A will have username/password and other information to authenticate end users. After authentication, site A can send users to site B and site B will call a service exposed by site A to confirm that user is indeed sent from site A.

    E.g.

    1. user ‘abc’ logins on site A
    2. user clicks on something (on site A) to buy something from site B
    3. Site A generates some random and unique token for this action.
    4. User is sent to Site B (usually by POST on a form that points to site B). One of the form fields would be this token
    5. Site B calls some service on Site A to validate the token and to retrieve username for which token was generated. Service might return other things like purchase limit for this transaction.

    It is VERY important that the whole communication happens over SSL. This will help mitigating Man-in-the-middle attacks.

    • 0