1 (edited by StevenBullen 2008-04-29 07:48)

Topic: 2 Domains single login

Hi,

I have two domains....  example.com example2.com
I use one database for both. But have set it up so that one uses the other users table.

What is the best work around so that when they login example.com they will not have to login again at example2.com

Many thanks.

EDIT:
Ok I have a fix... but its probably not the best advised one.
Whats the security issue with the following?

Sending the cookie info from 1 domain to the other in the url. I send the user_id and the password_hash across via url and then it sets a new cookie with the information. Its not the cleanest route but having trouble coming up with something that can do the job.

Im guessing its not possible due to security implications. sad

Re: 2 Domains single login

I would research how Microsoft's Passport and other similar systems work. I believe you can do something similar/more secure using iframes (of course, some browsers may reject the cookies).

3 (edited by Lurker.boi 2008-04-29 15:50)

Re: 2 Domains single login

You'll want to use one of the domains for master login, and make use of the shared db table.

for example, if example.com is your master login, when a user goes to example2.com:

1) if their  example2.com cookie is set, all done
2) if not, check your shared table to see if your token/timestamp from example.com has been written within the last x amount of time you want login valid for (30 minutes, 10 minutes, or later you can make this rolling time if you want).  if so write the example2.com cookie, all set.
3) if not, redirect to example.com auth page.   If the example.com cookie is already set, write a token/timestamp in your shared table. redirect back to example2.com, and it will be handled by step 2.
4) if example.com cookie is not set, show the login page.  if valid login, set example.com cookie and token/timestamp in your db and redirect back to example2.com and it will be handled by step2.

If they log in to example.com, all you have to do is set the example.com cookie and token/timestamp.

This way nothing is sent in the querystring that can be spoofed, so you are taking advantage of the security of the cookie and validating against the db instead.  you'll only need to pass the redirection page, which you were probably doing to a login page anyway, and eventually both cookies get set if needed.

Edit: I used example.com and example1.com interchangeably.