Sounds like pubcookie: http://pubcookie.org/
-Tim
Will Hartung wrote:
Hi all!
Not necessarily Tomcat specific, but I'm curious what others may have done to support cross site single sign on.
The basic problem is that customer goes to site A, and logs in. Then while navigating that site, they eventually head over to site B.
Of course when they hit site B, the customer should already be "logged in".
If site A and site B live in the same domain space (say, site.com and b.site.com), then a "site.com" cookie should be able to be used as a token that show login. Of course, this requires cookies. It also requires both sites to "maintain" the cookie if the cookie is allowed to expire (say, it's only useful for 30 minutes).
However I think this would have to be a "signed" cookie, where both participating servers encrypt to cookie with a known key (perhaps a shared public key).
Now, if you have sitea.com and siteb.com, then the cookie technique can't work (as neither can set a cookie for the other). So, I'm thinking that you can do something similiar, a signed token, in a hidden field and then having to submit a form to get to the new site.
Of course, you can always stick the token on the URL as well.
Does that sum it up? Any other ways for cooperating sites to "transparently" exchange credentials? I suppose the back ends can do it. Send signed packets to each other during their log in processes to notify cooperating services.
But if your logins "time out", you still need to constantly update the session information. It's not enough to know that "Bob signed in at 10am, and expires at 10:30". If Bob actively uses the site, you want the time out to be since last activity.
How are others doing this and what have you found effective?
Regards,
Will Hartung ([EMAIL PROTECTED])
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
