 |
Developers & Code Interested in customizing your Kayako products? Discuss modifications and develop your own mods with the community.
 |
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
| ||||||||||||
|
|
| | LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
(#1)
  |
| Member Posts: 253 Join Date: Jan 2007 | Login link that grabs DB info and logs in using external form -
04-12-2007, 12:08 AM
Hi, I'm figuring out the following issue. Let's say that I have a system there the user in kayako has the same login info as in the other system. In that case I'm capable to use the Kayako login information to login to the external system. The question is how to do this safe. I was thinking of a form that you post to a script where the username is in the form and that submits to the loginform to the external application. This is very insecure because everyone can make a simple form and guess usernames and post it to that script and it will login that user. So I need to have a second and maybe a third check that I need to do so post this information, this is done usin HTTPS so I don't expect that much problem with it. Still I'm not satisfied how I want to have this one. In some script, no matter how it's done, the username and password need to be POSTED to a form, so actually they will be visible for a very very very short time, even when you make everything hidden in the formfield, if someone is able to stop the page, they can read out the source and... catcha ! So, actually I don't like my own idea, but I'm trying to figure something out more decent. So the idea: 1. Make a link in the menu after the user logged in into kayako. 2. Click on the link and grab the password (you already have the username somewhere because without you can't query ofcourse) and post it with a form action for a URL and let the user login to that application. Now I have to find the most safe way, starting with SSL  [edit] Something on checking a session variable from kayako would be nice to run this script. I know for an example that kayako uses hashes for downloads that can be used only once, so something like that where I check in the login script using a query a variable that is only valid for that moment. Actually the passwor dis still sent cleantext, but with a bodyonload and form submit action, I doubt if you can read this password out in some way, or you need to be able to stop the script and read out the source, and that might be very possible. [/edit] Thijs |
| |  |
Linear Mode
