Can anyone point out what the obvious flaws with this approach would be, as I am sure there will be some...
- User tries to access restricted area on 'original box'
- User is not logged in, so is redirected to 'secure box'
- User logs in via LDAP using SSL & ldaps
- Session is created on 'secure box'
- User is redirected back to 'original box'
- 'original box' does a file_get_contents to session.php on 'secure box'
- 'secure box' checks for valid session, and if present returns username and some extra info as xml (obviously no password info)
- 'original box' uses xml to create local session
- User is allowed to progress through protected area with each page view checking 'secure box' for valid session