[nycphp-talk] Single Signon Multiple Domains
Michael B Allen
mba2000 at ioplex.com
Mon Mar 26 20:23:49 EDT 2007
On Mon, 26 Mar 2007 18:10:21 -0400
"Joseph Crawford" <codebowl at gmail.com> wrote:
> Guys,
>
> The company I am working for wants to have a single signon for multiple
> sites that will be on different domains. I know that you cannot use a
> cookie accross domains. Is there a way to do this
> aside from passing a hash via querystring or POST form?
>
> The reason I ask is because we cannot always rely on the hash being
> present. What if the user is at one domain then types in the other domain.
> We would want them to remain logged into the system because it is a network.
> I know it is possible just look at Google.com and Gmail.com.
>
> Any Ideas? Everything i read seems really insecure and ends with passing a
> querystring in your links.
The way I see it you can divide this into two problems:
1. You need somewhere to store the login state that all participants
have access to.
2. You need some way to determine the client's identity to lookup the
login state.
For example, you could use a central server to store the state and
a cookie to determine the identity. When the user logs into domain A
their logon state is updated in the central server and their username
is stored in a cookie. Then when they go to domain B the username is
retrieved from the cookie (assuming they have previously visited the site)
and used to lookup their state in the central server.
Note that to make this method secure you would need to mcrypt the
cookie and traffic with the central server with a secret shared by all
participating servers.
There are no doubt other permutations of this but I think all would need
to satisfy the two problems regarding where to store the state and how
to determine the identity.
Mike
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the talk
mailing list