Encrypting Web Page Data
We are trying to implement a secure application to allow our students to view their grades online. They would authenticate via a university-maintained authentication mechanism and then pass and maintain that ID securely between the student's web browser and an application server. Initially, through a java API, I was going to include code to see whether the user was authenticated, and if not, invoke the authentication mechanism, which would return a cookie containing an encryted ID. I was going to include this code in all servlets, so that the ID would never have to be passed back and forth between client browser and app server. This would prevent the direct manipulation of the ID and prevent the client from passing another student's ID to the server. I didn't ever want to pass an ID as part of a post or get.
This worked well, with a servlet able to obtain the ID solely by invoking the University's Authentication API and obtaining the ID that way. Unfortunately, a requirement was added to protect the app server behind a firewall, and only allow communication to it via a reverse proxy. The university's authentication mechanism, unfortunately, will not work with a reverse proxy in the middle, so I have to separate the code into a java servlet that will invoke the API on the reverse proxy server, and then pass that ID to my servlet via a post, or get.
I want to make sure the user can't modify this ID, and possibly other sensitive information that will need to be passed back and forth between the servlets. I am being encouraged to use PKI to do this. Is this valid? And are there any examples of this being done?
Thanks in advance.
