How to pass data securly between web sites?

Question

If I have a portal which i use to access other websites.

Say I have a portal A . And I wanna to access the website B.

If B needs some critical info to work like username . I wanna to pass these info securely .

---

so i make form like this :

 <%--------------------------------------------------------------------------------------%>
    <form id="frm_sal" action="B URL the first page" method="post">
    <input id="hdn_sal_Emp_Num" type="hidden" runat="server" name="hdn_sal_Emp_Num" />
    <input id="hdn_sal_user_name" type="hidden" runat="server" name="hdn_sal_user_name" />
    <input id="hdn_sal_result" type="hidden" runat="server" name="hdn_sal_result" />
    </form>
  <%--------------------------------------------------------------------------------------%>

and in the event client click of a link in the portal A , i will submit to this form .

One form for each website.

My question is about How to secure those data and prevent Tampering.

Answer 1

Encrypt the information in a <form> before sending it to the client, then decrypt it on the other end using a private key.

Here's a good encryption example. Encrypt and decrypt a string

Here's something I like to do. Create a class called 'SharedSession' and add the properties you want to share, the properties can even be other classes. Add a timestamp property as well. Serialize the class into a Json string (Json.net), encrypt it and shove it into a form field.

When the form is posted to the other side, deserialize it as the 'SharedSession' class.

Use the timestamp field for two reasons:

1) to make it look like the encrypted data always changes. For example, if you're sending the same credentials for the current user over and over, the encrypted string would never change, so the timestamp forces the encrypted string to appear different every time.

2) to make sure the posted data isn't stale, or old. Set a threshold of about 1 minute or so. If the data is more than 1 minute old, throw it out.

EDIT

One other thing... don't call your hidden form field 'SharedSessionData' or anything a hacker would be interested in. Call it something like 'promotional-ad-data' to throw 'em off.

Hope this helps.

Answer 2

Theres a couple of ways this can work.

The first would be to encrypt the query string in some fasion, mcrypt springs to mind which is decently supported cross platform, this does rely on the person not breaking your salt/passphrase, this can be mitigated by changing the salt frequently. The other issue you have is a reply attack, this is when someone copy pastes the URL from one user into another browser, essentially copying the request. This can be mitigated by using a datetime in the URL along with a onetime token that cannot be re-used.

The other way would be for the two servers to communicate, when you send a user from one site to another you send data (with a unique token/guid) via a server communication protcol of some manner (SOAP, REST, something made up) and then just give the user the token to pass over.

Unless the website is internal, you should always avoid locking down via IP address, lots of users have multiple IP Addresses and use various rules to spread data along IPs so they can change mid-request, and even some large ISPs (AOL being one) force users through proxies which have multiple endpoints and different addresses.

The last option would be to have a shared datastore, ie database which the both web servers can 'talk' to in order to query user information. This is made easier if they are on the same domain so you can set a session cookie that works on both sites, if not then you need to go back to the unique token being passed around.

Answer 3

In Pass data from page to page safely a user describes creating a custom class to hold your sensitive data and placing it in cache. I believe you could also use a Session to accomplish what you're talking about which is discussed here: How to pass a hidden field from one page to another?

There are a few ways I believe and I don't think I'm knowledgeable enough to tell you which is the best but I hope those links I've provided point you in the right direction!