user635800 user635800 - 4 months ago 15
PHP Question

Authentication without username/password?

We are building a PHP multi-tenant application. Each company's account will run on their own subdomain abcorp.example.com. The application allows companies to write and publish content (faqs, etc) for their customers to read.

They will tell their customers to visit: abcorp.example.com/ to read the content. Or they will put a link to that URL in their secure web application.

However these companies may not want just anyone reading the content by going to abcorp.example.com/

So, the question I have is there any way to provide some basic authentication without getting into username and password authentication. I was thinking about some kind of hidden token added to the hyperlink or something like that

My goal:


  1. If users type abcorp.example.com/ directly in the browser, they will not be able to see the web page because they didn't authenticate or pass the token in.

  2. Avoid using username and passwords



Another option would be Referring URL Authentication

Answer

You can use basic hashing whereby a shared secret password or "key" is stored on your system and each company system (a different key for each company and not published publicly), and then you hash the secret password with the subdomain in the link and include the digest as a parameter. Then you validate it by running the same algorithm on your side and compare to the digest.

the link might look something like

abc.example.com/?d=b5939ca22f5dcf345b4000641995478c5910dbd1607b1bdadcbf4a8618a95211

where digest is:

$d = hash('sha256', $secret_password.$subdomain);

or including the referer:

$d = hash('sha256', ($secret_password.$subdomain.$_SERVER['HTTP_REFERER']));

The hurdle to get over is making sure each of the companies can support the correct generation of these links based on the company specific key/algorithm - and that it is different for each company so one company cannot produce links for another.

It is better than no authentication, or a public shared token that is not validated at all, but I'm sure it still has vulnerabilities.