2

Our current project has a partner company which wants to redirect to our site and continue a journey which is in our site. They will be sending data of their logged in user along with the redirect.

What is the best way to ensure that redirect is from that specific domain and the data is sent securely.

I was thinking of using HTTP referer header along with encrypted data in the query string?

Zuhair
  • 197
  • 1
  • 2
  • 14

3 Answers3

3

along with encrypted data in the query string?

will only work securely if the client or the original server has sent you the information needed to decrypt it already - and if the client knows how to decrypt it, the client could tamper with the data, and tamper with the request headers, allowing them to get to the second site despite not coming from the first. (Yes, HTTP referrers can be forged. In general, nothing done on the client-side is trustworthy.)

The secure way to do this would be to, when the sender site is sure that an authenticated user can be authorized to redirect to your site, have the sender site send a server-side request to your site's backend, encrypted of course. Your backend can save the information or token in a database, then tell the original site that the request has succeeded. Then the original site can communicate to the client that they can redirect to your site. When a client reaches your site, look up the (encrypted) token in your database to ensure that such a request was made in the past few seconds, and that the token hasn't been used before.

Setting up all the cross-site communication does take some effort, but once done, you can be sure that the only users permitted will be authorized by the original site.

CertainPerformance
  • 356,069
  • 52
  • 309
  • 320
  • In that case, will the redirect url have the single use token(suppose if we sent a token back when the other site makes a request to our backend) sent in the query parameter, so that the tokens can be matched and verified? Otherwise how would we match the user and the token? – Zuhair Jul 02 '21 at 23:34
  • 1
    Yes, the redirect process will have to include the client communicating the token to your server somehow. Putting it as a query parameter will work. (Hopefully your site requires HTTPS, which is pretty easy to set up for free nowadays) – CertainPerformance Jul 02 '21 at 23:36
2

The ideal way to integrate SSO (Single Sign On) between two apps is to use enterprise integration technologies like SAML, OAuth etc.

If that is not possible, they should send a user with a unique token (GUID/UUID)

Your code then calls a URL on the partner app's server to validate the token and get the user's identity.

This will make sure that the user's identity can not be tampered with in the redirect request.

User's identity information should NEVER be passed as part of the HTTP(S) request as that can be tampered/changed by using proxy tools like burp or fiddler etc.

ullfindsmit
  • 279
  • 1
  • 5
  • 20
1

One way to achieve this is implenting SSO between two applications. If you use SAML SSO, you can always secure the redirecttion using a certificate and signing and verifying data coming and going.

Darshani Jayasekara
  • 561
  • 1
  • 4
  • 14