It is important to improve security beyond the tutorial.
The tutorial is designed to convey single sign-on basics. Consider these recommendations when
preparing for your production system.
- For easing the understanding of this sample, user, password and expiration date have been
encrypted directly in the cookie. This should not be done on a production site. If somebody found
the decryption algorithm, he would be able to read user and password values in clear. We recommend
you review the encryption mechanism and provide better security by encrypting a hash of the login +
password, instead of the login + password.
- Function shown in this sample are “fake” functions adapted especially for this example. They may
contain some dummy code. Review these functions in detail before adapting them to your production
environment.
- A single unique user name and password are hard-coded in the sample source code. A production
site requires a complete user management solution.
- Production sites requires the use of the HTTPS protocol rather than HTTP in order to avoid the
transmission of clear data through the network.