How to perform authentication using just the HTTP GET method?

Question

I have to create a way to keep the session authentication from application A to application B, but I can´t use:

• SSO
• POST calls

and, we know that GET is not a good choice, but I´ll need to use it. So, I think to use something like "public keys", what you think about this approach?

I think in:

1. User do authentication in application A.
2. Into application A, have a link to application B; User click on this link
3. Application A open application B page sending a "public key" (database persistent authentication key?)
4. Application B validate this key and authorize or not the user.

Answer 1

In step 3, rather than thinking of a "public key", think of a "session token". Specifically, A redirects to B with

http://b.application.com?token=123-3-2-1-3-2-2-1-2-32-3-5-2-4-5245

Tokens should be unique and short-living.

B then contacts A directly and asks about the identity behind the session token:

http://a.application.com/userservice/getuser/123-3-2-1-3-2-2-1-2-32-3-5-2-4-5245

Because B contacts A directly, there is no way for users to forge invalid tokens - a random token just points to non-existing session at A.