Can I combine htaccess and session variables from other systems?
July 23, 2008 10:03 AM Subscribe
Web server question. Can I combine htaccess and session variables from other systems? (more inside)
OK, bear with me here--I'm a page developer, not a server admin. I've got an apache system that uses htaccess and a .db file to grant access to particular directories. I've also got a set of users who aren't in the .db file, but will be logging in to another system (salesforce.com) and trying to access those restricted areas. Is there a way to allow the first set of users to continue logging in as always, but to allow a session variable that is established on the salesforce.com site to be passed, allowing this second set of users to access the area without having to log in again?
OK, bear with me here--I'm a page developer, not a server admin. I've got an apache system that uses htaccess and a .db file to grant access to particular directories. I've also got a set of users who aren't in the .db file, but will be logging in to another system (salesforce.com) and trying to access those restricted areas. Is there a way to allow the first set of users to continue logging in as always, but to allow a session variable that is established on the salesforce.com site to be passed, allowing this second set of users to access the area without having to log in again?
In short, no. There's ways that you could accomplish this, but they all involve some absurd hacks that are generally acknowledged to be Really Bad Ideas that basically amount to man-in-the-middle attacks on your userbase.
In short, unless the external vendor (salesforce) provides you with a mechanism to authenticate users based on your local authentication mechanism (i.e. Active Directory) then you cannot do single sign on.
posted by SpecialK at 12:47 PM on July 23, 2008
In short, unless the external vendor (salesforce) provides you with a mechanism to authenticate users based on your local authentication mechanism (i.e. Active Directory) then you cannot do single sign on.
posted by SpecialK at 12:47 PM on July 23, 2008
The easy but not very secure way to do it is to require on each request a Referer header from either another page in the directory or a page on the other site, so users following a link from that page could skip the password check. Something like:
posted by nicwolff at 12:49 PM on July 23, 2008
SetEnvIf Referer ^http://yoursite.com/private let_me_inSetEnvIf Referer ^http://salesforce.com/private/yoursite/URL let_me_in<Directory /docroot> Order Deny,Allow Deny from all Allow from env=let_me_in AuthType Basic AuthUserFile /usr/local/apache/conf/htpasswd.users AuthName "allow users by password or from salesforce.com" Require valid-user Satisfy any</Directory>You'd have to be able to save the "gateway" link on pages at salesforce.com. Someone could sneak past this, but they'd have to know the Referer URL and be smart enough to fake it.
posted by nicwolff at 12:49 PM on July 23, 2008
Looks like this may be possible via the Salesforce API: see How To Implement SSO with Salesforce.
posted by fishfucker at 1:30 PM on July 23, 2008
posted by fishfucker at 1:30 PM on July 23, 2008
Oh wait, you're trying to go *from* a Salesforce login to *your* system? I don't know about that. Maybe you could fake up a Salesforce login, use the API to log them into salesforce AND your system, and then redirect to Salesforce, but yeah, not sure my original post is relevant in that light.
posted by fishfucker at 1:32 PM on July 23, 2008
posted by fishfucker at 1:32 PM on July 23, 2008
Response by poster: Yeah, I think the SF API will let me do it, but it will require some gymnastics on my server end. Thanks, all!
posted by jpoulos at 11:39 AM on July 24, 2008
posted by jpoulos at 11:39 AM on July 24, 2008
This thread is closed to new comments.
posted by zengargoyle at 10:53 AM on July 23, 2008