I'm starting up a community-based network of sites. It will put a large emphasis on user interaction through forums, comments, etc. Beyond that, the sites will focus on news and being a directory/portal for people to find more information on the site's topic.
A community focused site is nothing new, and isn't very difficult to get up and running. However, I want to try something unique. I would like to allow other websites to become part of my community. Basically, I'd like to create a web service that allows them to use my "NetworkX" login for features on their website. I believe this could benefit us both. The other websites would have a large number of registered users who could have quick access to the features of their site. It would benefit me, as my site would likely become a center for the community.
Is it possible to do? I've been reading up on SOAP and related technologies, but I don't know if they can do what I am looking for. Obviously security needs to be a major concern of mine, and I don't know if it is possible to protect my user's data.
Microsoft has done this with their .Net passport, so it is definitely possible. Is it beyond what I can accomplish?
technically, it is possible (as MS passport shows!). for example:
1. user logs in at remote site
2. remote site hashes password and parses encrypted username and password to database server (through HTTP) in XML
3. database server returns TRUE and user's unique ID (if valid login) or FALSE (if invalid) to remote site
4. remote site registers unique id and hashed user password in cookie and user is logged in
5. when user's information needs to be retrieved, remote site sends request to database server supplying user id and hashed password
i think there's already a site that provides this kind've service for bloggers, so that people posting comments don't have to sign up for multiple blogs (can't remember the URL ... it's ~keys.com i think)
there are quite a few security issues involved, though.. here are a few:
1. the remote site can easily intercept and store the users' information before it is hashed
2. the remote site has complete access to all the users' personal information on the database server once the user is logged in
Thanks for the reply and the link. Very interesting and helpful.
I don't think it will ever be secure if unencrypted data goes through the remote site enroute to the central database. Would it be possible to not actually put the login form on the remote site? Something like:
1. User clicks "Login using NetworkX!"
2. Remote site redirects the user to networkx.com/login, and begins listening for a message from networkx.
3. User logs in at the networkx site.
4. Networkx verifies the user, and sends a message to the remote site OK'ing them.
5. User is redirected back to the remote site, and is now "logged in". The remote site acknowledges them as Userx and uses a session id to keep track of them for the rest of that session.
I'm not going to pretend that I have the abillity to code such a system. Another member of our team would be coding it, and I'm just trying to do some research/thinking as to whether it would work.
There are two potential problems I can think of with the above procedure:
1. Can servers send message like that between one another? Would the required server resources for something like that doom the project from the start? For a large scale system like in the other post, maybe. For my project on a smaller scale?
2. Would the remote site be able to remember the login? Could they then create a cookie to remember that user?
EDIT: Essentially something like how Paypal's "invoice" payments work?