On Mon, 26 Mar 2007 18:10:21 -0400 "Joseph Crawford" <[EMAIL PROTECTED]> wrote:
> Guys, > > The company I am working for wants to have a single signon for multiple > sites that will be on different domains. I know that you cannot use a > cookie accross domains. Is there a way to do this > aside from passing a hash via querystring or POST form? > > The reason I ask is because we cannot always rely on the hash being > present. What if the user is at one domain then types in the other domain. > We would want them to remain logged into the system because it is a network. > I know it is possible just look at Google.com and Gmail.com. > > Any Ideas? Everything i read seems really insecure and ends with passing a > querystring in your links. The way I see it you can divide this into two problems: 1. You need somewhere to store the login state that all participants have access to. 2. You need some way to determine the client's identity to lookup the login state. For example, you could use a central server to store the state and a cookie to determine the identity. When the user logs into domain A their logon state is updated in the central server and their username is stored in a cookie. Then when they go to domain B the username is retrieved from the cookie (assuming they have previously visited the site) and used to lookup their state in the central server. Note that to make this method secure you would need to mcrypt the cookie and traffic with the central server with a secret shared by all participating servers. There are no doubt other permutations of this but I think all would need to satisfy the two problems regarding where to store the state and how to determine the identity. Mike -- Michael B Allen PHP Active Directory Kerberos SSO http://www.ioplex.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
