I'm working with a college and need to integrate my courses - so their students can access it on the college website. We are going with the simple iframe integration.
The user is going to register on the college website and they will pass the user information to me so I can start a session and give access to the course pages on my website which through iframe they will show on theirs.
My website is built on LAMP and I am using ZEND framework
This is a skeleton structure of how I am planning to do
1) On the college website, as part of the iframe code - they will call one of my action classes and pass the user email
<iframe src="http://mywebsite/user/validate/email/alice@gcc.com"></iframe>
2) Now in User controller - validate Action - I will basically check if user does not exist - create a new user or load an existing user with his email and start a Zend Auth instance and write the user to storage and redirect to his course page as shown below
$currentUser = $userModel->loadUserProfileByEmail($this->_getParam('email'));
$auth = Zend_Auth::getInstance();
$storage = $auth->getStorage();
$storage->write($currentUser);
return $this->_redirect('/user/my-courses/');
This is what I have so far - and obviously it works
My Questions
1) Is this the best way to do this. I wont have the user's password because the authentication happens on college website and they dont want the user to directly login on my website.
2) This is the big question. I'm little confused about the best way to authenticate that this call is being made by this particular college. How do I go about this - do they pass a encrypted token along with this iframe call - and only I have the key to decrypt it - I've not done this - I dont know if I'm over complicating something simple.
Any advice or suggestions will be appreciated Thanks
I might have mis-understood your question but from what I gather you need:
-a way to authenticate a user
-the ability to pass over the page they wish to view on first-load and their email address.
The basis of this is simply symmetric key authentication - all that follows is ways to mash it up.
Put your data together (email address, Page to land on) and then hash it with a strong key.
Decrypt at other end and voila - done.
This method is secure if your password (key) is hard to guess - the following is one way that is hard to crack.
AUTHENTICATION
There are a couple of ways to do this - if you have access to their server (or someone there who can insert some code for you) then the following would work.
Create a php script that does the following.
I HAVE MASSIVELY OVER-ENGINEERED THIS TO DEMONSTRATE LOADS OF WAYS OF MAKING A HASHED STRING HARDER TO CRACK - YOU CAN CHOOSE YOUR OWN WAY!
(pseudo code)
$serverTimeStamp = timestamp;
$additionalNoise = "THEcat1sch33sy";
$time = $serverTimeStamp . "XAB"; <- needs to be a random code as delimeter.
$data = $additionalNoise + "email@email.com";
$salt = "wh4tW0u1dB4tm4nD0?" + $serverTimeStamp;
$password then needs hashing with a reversible hash (mcrypt is a good place to start)
$encrypted = mcrypt of $data and $salt ($salt is shared key);
$authenticationcode = $time . $encrypted;
This will give you a pretty damned strong random string with a time-stamp at the front followed by XAB then a random hashed string.
This would then be passed to your user validate script.
<iframe src="http://yoursite/validate/COMPLETELYRANDOMSTRING"></iframe>
From there you reverse the process.
IMPORTANT (ammendment) - I completely forgot one IMPORTANT element - store the random string that is sent to you in a database. These strings are 'single use' - if your receive the same string again it is an attack.
This is all facilitated by the timestamp being in the salt and at the beginning of the string - can send the same data 1000 times a day with a completely different string.
Get random string.
get time-stamp from front of random string -> using regex / index of looking for numbers and then XAB (hence the random XAB string - it is just a separator)
$timeStamp = "10200192XAB";
"wh4tW0u1dB4tm4nD0?" <-shared secret key.
$salt (secret key) = "wh4tW0u1dB4tm4nD0?" + $timeStamp;
decrypt using salt
you get your data preceded by
"THEcat1sch33sy" (your additional noise) (which is also a fixed shared key in effect)
Just strip the "THEcat1sch33sy" and you have your email address (which you then validate in the 1 in a million chance that the random string actually spits out "THEcat1sch33sy" at the begninning.
Voila - not 100% but believe me - if I am trying to get into your server - I won't try this way!
PASS PAGE OVER
Simply add it to the $data - so you would pass $email + "seperator" + $coursepage.
Hope this helps (and is clear)