galatia66
12-28-2005, 02:04 AM
Hi all,
A user at serverA will, let's say, be signing up to attend for a conference. Then when they have to make a credit card payment, they will be taken to serverB. serverA will need to send some data to serverB (for example what conference this person is paying for and how much it is).
My first question is how can serverB identify that the user was originally at serverA? I want to restrict who is able to access serverB. Will the referer header be reliable for this? What about the issue of spoofing? Or would it be better to pass a field that identifies the server as part of the post fields?
After knowing that the request is from serverA, serverB needs to make sure that serverA is who he claims to be. serverB will not accept users coming from servers other than serverA (and say, serverC). Is there a way for serverB to communicate with serverA, grab serverA's certificate, check that it is signed by a trusted authority, and check that it is actually serverA?
A user at serverA will, let's say, be signing up to attend for a conference. Then when they have to make a credit card payment, they will be taken to serverB. serverA will need to send some data to serverB (for example what conference this person is paying for and how much it is).
My first question is how can serverB identify that the user was originally at serverA? I want to restrict who is able to access serverB. Will the referer header be reliable for this? What about the issue of spoofing? Or would it be better to pass a field that identifies the server as part of the post fields?
After knowing that the request is from serverA, serverB needs to make sure that serverA is who he claims to be. serverB will not accept users coming from servers other than serverA (and say, serverC). Is there a way for serverB to communicate with serverA, grab serverA's certificate, check that it is signed by a trusted authority, and check that it is actually serverA?