YourSites establishes a secure connection between the server and each of the client sites.
A private token is stored on the server and each client site which is used to validate each request - every request is validated, we don't rely on cookies or storing the authentication token in session memory. A highly random request specific token is passed from the client to the server at the start of each interaction between the sites. The server encodes this with the private token and before any requests are processed on the client the newly encrypted key is checked against the token and private key on the client site.
There are 2 types of private token that can be used:
1. Server Specific - a unique token it automatically generated for each YourSites server when you first install the component. If you want to change this you can do so in the component options page.
When using the server specific token the same token is shared between all your client sites - which is not ideal because the local administrator of one of these sites could find this token and could potentially gain access to the other sites that you manage by re-using this token.
We therefore recommend the use of Client Specific tokens - this is the default setting.
2. Client Specific - a token that is unique to each and every client site. This private token it stored on the client site and in the site record at your YourSites server. This token is not shared between sites and means that the connection between your client sites and your YourSites server is very secure.
Further Security Options
You can configure the client site plugins to only accept connections from a YourSites server at a specific IP address and domain - this security setting is on top of the highly secure transaction specific private token security checks.
If you use DirectLogin links you should include your own static IP address from your ISP as well as the YourSites server's IP address. You can also configure the client site plugin to only accept direct login connections that use the configured 2factor authentication mechanism.
Please be aware that we do not collect any type of data from your server or client sites. All the communication is handled between your client sites and your server site.