Tags:








Advertise here: Contact FM.


Can I combine htaccess and session variables from other systems?
July 23, 2008 10:03 AM   RSS feed for this thread Subscribe

Web server question. Can I combine htaccess and session variables from other systems? (more inside)

OK, bear with me here--I'm a page developer, not a server admin. I've got an apache system that uses htaccess and a .db file to grant access to particular directories. I've also got a set of users who aren't in the .db file, but will be logging in to another system (salesforce.com) and trying to access those restricted areas. Is there a way to allow the first set of users to continue logging in as always, but to allow a session variable that is established on the salesforce.com site to be passed, allowing this second set of users to access the area without having to log in again?
posted by jpoulos to computers & internet (6 comments total)
Check out OpenID and PubCookie. We use the latter to allow single sign on and access to multiple servers, and even allow people to be authenticated at their university but access protected things at our university. Sorry, don't know quite how it works, but it is possible and currently in use.
posted by zengargoyle at 10:53 AM on July 23


In short, no. There's ways that you could accomplish this, but they all involve some absurd hacks that are generally acknowledged to be Really Bad Ideas that basically amount to man-in-the-middle attacks on your userbase.

In short, unless the external vendor (salesforce) provides you with a mechanism to authenticate users based on your local authentication mechanism (i.e. Active Directory) then you cannot do single sign on.
posted by SpecialK at 12:47 PM on July 23


The easy but not very secure way to do it is to require on each request a Referer header from either another page in the directory or a page on the other site, so users following a link from that page could skip the password check. Something like:
SetEnvIf Referer ^http://yoursite.com/private let_me_in
SetEnvIf Referer ^http://salesforce.com/private/yoursite/URL let_me_in
<Directory /docroot>
    Order Deny,Allow
    Deny from all
    Allow from env=let_me_in
    AuthType Basic
    AuthUserFile /usr/local/apache/conf/htpasswd.users
    AuthName "allow users by password or from salesforce.com"
    Require valid-user
    Satisfy any
</Directory>
You'd have to be able to save the "gateway" link on pages at salesforce.com. Someone could sneak past this, but they'd have to know the Referer URL and be smart enough to fake it.
posted by nicwolff at 12:49 PM on July 23


Looks like this may be possible via the Salesforce API: see How To Implement SSO with Salesforce.
posted by fishfucker at 1:30 PM on July 23


Oh wait, you're trying to go *from* a Salesforce login to *your* system? I don't know about that. Maybe you could fake up a Salesforce login, use the API to log them into salesforce AND your system, and then redirect to Salesforce, but yeah, not sure my original post is relevant in that light.
posted by fishfucker at 1:32 PM on July 23


Yeah, I think the SF API will let me do it, but it will require some gymnastics on my server end. Thanks, all!
posted by jpoulos at 11:39 AM on July 24


« Older What is the accepted procedure...   |   How do I complain to a corpora... Newer »

You are not logged in, either login or create an account to post comments



Related Questions
How is Google giving me access to this page? December 27, 2006
Is there a Windows utility that is (semi-)... July 28, 2006
Cookie / Session Based Authentication vs HTTP... July 19, 2005
Browser-Sharing Software July 29, 2004
I'm trying to get my application (VB, but that... April 30, 2004