Join 3,512 readers in helping fund MetaFilter (Hide)


Can I combine htaccess and session variables from other systems?
July 23, 2008 10:03 AM   Subscribe

Web server question. Can I combine htaccess and session variables from other systems? (more inside)

OK, bear with me here--I'm a page developer, not a server admin. I've got an apache system that uses htaccess and a .db file to grant access to particular directories. I've also got a set of users who aren't in the .db file, but will be logging in to another system (salesforce.com) and trying to access those restricted areas. Is there a way to allow the first set of users to continue logging in as always, but to allow a session variable that is established on the salesforce.com site to be passed, allowing this second set of users to access the area without having to log in again?
posted by jpoulos to Computers & Internet (6 answers total)
 
Check out OpenID and PubCookie. We use the latter to allow single sign on and access to multiple servers, and even allow people to be authenticated at their university but access protected things at our university. Sorry, don't know quite how it works, but it is possible and currently in use.
posted by zengargoyle at 10:53 AM on July 23, 2008


In short, no. There's ways that you could accomplish this, but they all involve some absurd hacks that are generally acknowledged to be Really Bad Ideas that basically amount to man-in-the-middle attacks on your userbase.

In short, unless the external vendor (salesforce) provides you with a mechanism to authenticate users based on your local authentication mechanism (i.e. Active Directory) then you cannot do single sign on.
posted by SpecialK at 12:47 PM on July 23, 2008


The easy but not very secure way to do it is to require on each request a Referer header from either another page in the directory or a page on the other site, so users following a link from that page could skip the password check. Something like:
SetEnvIf Referer ^http://yoursite.com/private let_me_inSetEnvIf Referer ^http://salesforce.com/private/yoursite/URL let_me_in<Directory /docroot>    Order Deny,Allow    Deny from all    Allow from env=let_me_in    AuthType Basic    AuthUserFile /usr/local/apache/conf/htpasswd.users    AuthName "allow users by password or from salesforce.com"    Require valid-user    Satisfy any</Directory>
You'd have to be able to save the "gateway" link on pages at salesforce.com. Someone could sneak past this, but they'd have to know the Referer URL and be smart enough to fake it.
posted by nicwolff at 12:49 PM on July 23, 2008


Looks like this may be possible via the Salesforce API: see How To Implement SSO with Salesforce.
posted by fishfucker at 1:30 PM on July 23, 2008


Oh wait, you're trying to go *from* a Salesforce login to *your* system? I don't know about that. Maybe you could fake up a Salesforce login, use the API to log them into salesforce AND your system, and then redirect to Salesforce, but yeah, not sure my original post is relevant in that light.
posted by fishfucker at 1:32 PM on July 23, 2008


Yeah, I think the SF API will let me do it, but it will require some gymnastics on my server end. Thanks, all!
posted by jpoulos at 11:39 AM on July 24, 2008


« Older What is the accepted procedure...   |  How do I complain to a corpora... Newer »
This thread is closed to new comments.