Skip to content
Advertisement

Creating a Login-in-as from a seperate server

The Background

I have a Laravel system with a standard login system, hashes, username etc.. I also have multiple servers. My own server as the Web developer, and client servers that host client sites. Some clients have multiple sites.

Thr problem

I have a scenario where I would like to have the Main website (The developer site) where clients can login.

Once they login into the portal, they will see a list of websites that are ‘owned’ by that client.

I would then display a ‘Login’ button so once they click the button, it would authenticate them into the remote site and redirect them to it. (ya ya single login).

Generally speaking this is all possible and easy enough especially when the sites are on the same server as I can access both DB.

However in this new scenario, the main site is on a separate server.

I have considered 2 options

Option 1

Setting a cookie in the browser from the main Site with certain info that the client site would read. then redirecting them to the secondary site which would check for that cookie then authenticate.

Option 2

User logs into the main site, selects ‘login’, which sends a curl-request with api info to the secondary site, in which the secondary site would then somehow authenticate.

If anyone has any ideas, simpler the better as long as it does compromise security, or suggestions would be most helpful

Advertisement

Answer

Your direction in Option 2 is better. You may consider this

  1. use PHP curl to send data to a target site
  2. the data should contain the login name of the user, plus a “secret string” so that the target server knows that the traffic is from your main site, and then the curl can simply return the login credentials of the user (both username and password)
  3. After that the system can use the username and password to login the target site for that particular user .

[Optional] If you have SSL enabled on the target site, it will be better because you can enable SSL in the curl to avoid “man-in-the-middle” attack. In that case, please use something like this:

// Turn on SSL certificate verfication
curl_setopt($curl, CURLOPT_CAPATH, "/usr/local/www/vhosts/<yourdomainname>/httpdocs/cacert.pem");
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE);
User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement