8

I want to have two servers, Server A and Server B. Server A does all the authentication (username and password). If the user is authenticated at Server A, then Server A will send POST data of a session id, ip address, useragent, etc. of the user. Server B will receive all this data over SSL and will trust Server A and give access to the user. Also, Server B will only accept POST data from Server A by means of Server A's IP.

My question is, since the post data is sent over curl/ssl, can it be intercepted or stolen while in traffic? can the hacker view the session id in plain text(the most important component here)?

Is there anything I can do to increase the security of this method?

user962449
  • 3,743
  • 9
  • 38
  • 53
  • I'm panning of having Server A as the authentication server and several sub servers as the service providers. Server A will just authenticate them and point the user to where their app is hosted on. If that makes sense. – user962449 Oct 15 '11 at 08:28

1 Answers1

10

You do not want to implement this with PHP because this is easily achieved with webservers alone. Your Server A handling SSL (there is even hardware for that) can act as an Central Authentication Service and as a Reverse Proxy to Server B. It's a common setup to divide responsibilites between servers. Research these topics please.

You can pick from a variety of solutions for this, ranging from a free solutions like nginx as a reverse proxy or commercial solutions like IBM's WebSEAL, etc.

And yes, when you use SSL, it is secure enough (when in doubt, buy an audit).

On a sidenote, this question is probably better suited for serverfault.com.

Community
  • 1
  • 1
Gordon
  • 312,688
  • 75
  • 539
  • 559
  • 2
    which means you should skip the idea of doing that with PHP and research the topics linked in my answer. – Gordon Oct 15 '11 at 08:50
  • What's wrong with my setup? I looked at nginx and I don't think it provides any SSO features, it's just a reverse proxy to apache and acts as a web server and nothing more. – user962449 Oct 15 '11 at 09:11
  • @user962449 no offense, but 20 minutes of research is not enough. The main reason why you dont want to use PHP for this is that all the things you want to achieve can be solved faster with webserver modules. Solving this with PHP is to reinvent what already exists. – Gordon Oct 15 '11 at 09:24
  • 1
    I don't think those are solutions for me. The hardware you recommended is to offload some of the SSL computing, which I don't think I need. I'm just trying to make a single server a SSO for multiple servers. All the services I've check do the same: they send a token over a secure connection. It's pretty much the samething I'm doing, plus I think I would have more flexibility doing it my way. Thanks for helping me out Gordon, but I really wasn't looking for alternatives, thanks for the info though. I was just asking if curl+ssl is safe to send tokens/sessions over (I don't use curl). – user962449 Oct 15 '11 at 09:45