Is the following authentication solution safe or am I missing something?

Question

Context:

I have two web servers ServerA (LAMP stack) and ServerB (ASP.NET stack). I think the technology (hopefully) does not matter. Both servers require authentication and supposedly doing their job well, if not that is out of scope in this question.

Task:

I would like to implement a page with iframe content. ServerA serves the outer content ServerB serves the inner content (the iframe). The servers are in different domain. When user X logs to ServerA and navigates to the page, I would like to show a personal and sensitive content coming from ServerB in the iframe. The content belongs to user X's identity in server B.

Proposed solution:

• ServerA and ServerB has a shared secret (server side)
• Users are replicated from ServerA to ServerB. Usernames match, passwords on ServerB random generated and not used at all. (keep reading)
• ServerA authenticates the user via https using a form based authentication
• Outer page contains the following html fragement where the .any extension in the url is configured to execute and respond in the server for example .aspx or .cshtml or .php etc:

.

<img src="https://serverb.com/dummy.any?parameter=crypted_username_and_date_using_the secret" style="display:none;" />

• In ServerB when a request received to the dummy.any url it decrypts the parameter, does some checking then in the response sets a crypted cookie containing with the username. The crypting key could be the shared secret or better it can be a ServerB's private secret.

• In ServerB when a request received to the inner page (the iframe) it should contain the cookie, what was set for this very same domain (https://serverb) if the cookie is there and the userX is existing, and say a 5 minutes the timeframe is all OK, then ServerB uses its authentication subsystem to log on the user programmatically (no password provided). (the authentication subsystem sets their own cookies or whatever, this hopefully black box in our point of view)

• After this ServerB serves sensitive content which belongs to userX.

Please note I am a developer and not a security expert. That's why I am asking before implementing a security hole.

Answer 1

I'm not sure this should be an answer, but I have too much to type for a comment...

What you are suggesting looks OK to me, with some assumptions:

• The shared secret is good - no 'test123' etc.
• The crypto you use is good. No ROT13 ;)
• The usernames are case-sensitive, sounds obvious but I can imagine registering user abc and gaining access to user aBc's info

As a principal I think it works. The only thing I can think of is if a user is somehow able to register an account on server A that already exists on server B, but I'm sure you've thought of that.

Obviously if you have other security issues (vulns on either of the servers, the usual web attacks etc.) then all bets are off.

Answer 2

The issue for me is that, in absence of session management, the request to serverB is susceptible to replay attacks. Hopefully ALL the communications between servers and client are via HTTPS, not just the authentication (otherwise that's a big security issue) so that reduces the possiblity of interception. However 5 minutes is a very long time for the token to be valid on the remote server. It also means you'll need to ensure that the clocks on the servers are synchronized.

Wouldn't it be simpler just to pass a single, timestamped, rapidly expiring token in the iframe URL?

An alternative solution would be for serverA to request a one time password from serverB when the outer page is requested, and include that in the URL for the iframe. But that doesn't scale so easily.