Securely Transferring Users Between Web Sites

Question

Here's the scenario:

• You have two seperate websites that exist in different environments (I.E. different databases, different web servers/domains)
• You have full control over the code for both sites, but from the above point, they can not directly communicate with each other's database
• You must transfer user from site A to site B securely

What is the best way to implement this? Simply sending the user identifier between the sites via query string wouldn't be secure, even if encrypted, since someone else could obtain the URL. It seems like the standard solution is to pass the user identifier along with another temporary key that web site A created, and web site B knows about. If this is the case, what's the proper way of securely setting up the system with the temporary key?

Thanks!

Answer 1

Write a web-service call over HTTPS, at both ends, to retrieve the users details, and that only works for a specific login-pair. Problem solved. You need to make the login-id's at both ends uniform or use single sign on cookies. More details in the paper by Vipin Samar: "Single Sign on Cookies for Web Applications".

They can't get the URL/Passwords unless they go into the application code at one of the servers.