Let's discuss the issue of creating a separate website, help.myapp.com, which would only be accessible to authorized users of several existing web applications with different subdomains. The applications are not related to each other, and authorization is done through login/password on each one.


There are currently three proposed solutions for creating the help website.

The first one suggests creating a single authentication node (auth.myapp.com) and implementing OpenID for authentication on help.myapp.com. However, this requires significant changes to the architecture and may not be feasible.

The second solution is to allow users to enter their password directly on help.myapp.com and check all available databases for a matching username/password combination. This solution seems cumbersome, as users would have to enter their login credentials on both the main application and the help website.

The third option involves authorization by referrer, where users who came via a link from one of the acceptable sites would automatically gain access to the help website. However, this approach has security risks, as referrers can be easily forged, and direct links to help pages would not work.

Are there any other solutions that can be considered? It is important to ensure a secure and efficient user experience while integrating the help website with the existing applications.

Is it possible to authorize users on auth.myapp.com when they log in on any of the subdomains, and then pass that authorization on to help.myapp.com? When the user accesses help.myapp.com, the system would check if they are already authorized on auth.myapp.com, and if so, grant them access. Otherwise, a login and password field would be displayed. Once the user enters their credentials, the system would search all web site databases for a matching login/password combination.

A potential issue with this approach is how to securely manage authentication across multiple web applications and databases. Careful consideration should be given to data privacy and security measures to minimize any risks of unauthorized access or data breaches. However, allowing users to seamlessly access the help website without having to repeatedly enter login credentials could improve the user experience and drive engagement.

One option to implement the help website is to create an authentication center on one of the sites or a separate one. This center would distribute authorization to the other sites using JavaScript and cookies.

To ensure security, tokens or other security measures should be implemented. If all sites are subdomains of the same domain, a common cookie could be used.

Another solution, if changing the architecture is too expensive, is to collect user accounts into a single database on a one-time basis for faster search. Any new users could be added to the main server or databases could be synchronized.

Regardless of the chosen approach, it is important to ensure secure and efficient user access to the help website across multiple web applications. Proper security measures should be put in place to protect user data and prevent unauthorized access.

To create a flexible authorization system, a simple and smart database can be organized to store login application keys and private keys. The public key, which is based on a common algorithm such as hashing or salting, is sent to the client.

This approach allows for independent operation of each web application with its own key in the authorization database, while still being able to edit a shared private key. Various database solutions, such as SQL (e.g. MyISAM, Memory in MySQL) or NoSQL (e.g. memcache, redis, cassandra), can be employed depending on specific needs and requirements.

With this approach, the system can keep track of the user's authorization level, previous actions, and other relevant information, without restricting the functionality or flexibility of any specific web application. It is important to ensure proper security measures are in place to protect users' confidential information and prevent unauthorized access.

Password authentication is the most common method of security, but it is vulnerable to weak passwords. Employees often disregard security measures, unwittingly leaving company information open to attackers. Research shows that few IT employees expressed confidence in the reliability of unstructured data protection. Passwords are also more expensive to maintain than initially expected, with technical support receiving many calls asking for assistance with forgotten passwords.

Biometric authentication offers an alternative solution where users provide a sample of a unique physical or behavioral characteristic. The control template generated by this sample is compared with a reference template to ensure adequate matching. However, biometrics have their limitations, including the need for multiple samples during registration and susceptibility to forgery or interception.

Despite these limitations, implementing biometric systems can offer greater security and convenience for users. Careful attention should be given to personal and cultural considerations when implementing biometric authentication technologies to ensure user privacy is protected.

One potential solution to consider is using a single sign-on (SSO) system, which allows users to log in once and access multiple applications. This can be achieved by implementing an identity provider (IdP) that authenticates users and provides tokens to access the help website.

With this approach, each of the existing web applications could trust the identity provider and issue tokens to users upon successful authentication. These tokens could then be used to access the help website without requiring users to log in again.

Implementing SSO with an identity provider offers a secure and efficient user experience, as it reduces the need for multiple logins and provides a centralized authentication mechanism. It also allows for easy management of user access and permissions across all integrated applications.

Additionally, SSO with an identity provider can support various authentication methods, including username/password, social logins, multi-factor authentication, and more, providing flexibility for different user preferences and security requirements.

Another option to consider is implementing a federated identity management system, such as Security Assertion Markup Language (SAML) or OAuth. These standards enable secure, cross-domain authentication and authorization, allowing users to access multiple applications with a single set of credentials.

With a federated identity management system, users can log in to their existing web applications and seamlessly access the help website without the need to re-enter their credentials. This approach leverages trust relationships between the identity provider and the participating applications, providing a streamlined user experience while maintaining security.

Furthermore, integrating the help website with a federated identity management system allows for centralized user provisioning, role-based access control, and audit trails, enhancing overall security and compliance.

By implementing SAML or OAuth, you can establish a standardized and secure framework for user authentication across disparate web applications, ensuring a consistent and efficient user experience while addressing the diverse needs of your existing user base.