Central authentication for multiple sites

Hi,

Does anyone know of a way to authenticate a person on one site and have that
authentication carried through to multiple sites?

Basically I'd like to have someone login on www.domain1.com and then have
their login be valid on www.domain2.com and www.domain3.com ... the domain
name is different so I don't see how I could use a common cookie.

The 3 sites in question are hosted on a common server with a common user
database if that helps but still the domain names that people access the
sites with are unique.

Any ideas?

Thanks!
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux

Maybe you could go off of a timestamp in a last_visited, last_visitedIP
fields. If it was less than 10 minutes ago, then they can move on. This, of
course, would mean you'd have to add some UPDATE last_visited,
last_visitedIP code at the header of every page (or on a common included
header). Hmm... It wouldn't be foolproof, though<:P

> Hi,
>
> Does anyone know of a way to authenticate a person on one site and have that
> authentication carried through to multiple sites?
>
> Basically I'd like to have someone login on www.domain1.com and then have
> their login be valid on www.domain2.com and www.domain3.com ... the domain
> name is different so I don't see how I could use a common cookie.
>
> The 3 sites in question are hosted on a common server with a common user
> database if that helps but still the domain names that people access the
> sites with are unique.
>
> Any ideas?
>
> Thanks!

--
Kevin Bruce
Educational Web Designer
VIP K-16 Grant
http://www.scienceinquiry.org
bruce@mdsg.umd.edu
Maryland Sea Grant College
4321 Hartwick Road, Suite 300
College Park, MD 20740
301.403.4220 ext. 25
OR (on Wednesdays and Fridays)
717.637.5370

AOL Instant Messenger screen name- mdsgkevin

Because the sites are on the same server, it is simple. Use sessions and
pass SID in urls to other domains.

Fraser Campbell wrote:
> Hi,
>
> Does anyone know of a way to authenticate a person on one site and have that
> authentication carried through to multiple sites?
>
> Basically I'd like to have someone login on www.domain1.com and then have
> their login be valid on www.domain2.com and www.domain3.com ... the domain
> name is different so I don't see how I could use a common cookie.
>
> The 3 sites in question are hosted on a common server with a common user
> database if that helps but still the domain names that people access the
> sites with are unique.
>
> Any ideas?
>
> Thanks!

On Monday 29 September 2003 15:33, Kevin Stone wrote:

> If all domains have access to the same database then there is absolutely
> nothing preventing you from using a Cookie. Have a normal login on
> Domain1.com. Once authenticated produce a random ID and store it in the
> database. Store the ID in a cookie then Redirect the client to the desired
> domain. The page the client is redirected to checks to see if the ID

Ok. So then the client has a cookie set for www.domain1.com, when I redirect
him to www.domain2.com why would his browser send me the cookie? I think I'm
missing something ...

--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux

From: "Fraser Campbell" <fraser@wehave.net>
> On Monday 29 September 2003 15:33, Kevin Stone wrote:
> >
> > If all domains have access to the same database then there is absolutely
> > nothing preventing you from using a Cookie. Have a normal login on
> > Domain1.com. Once authenticated produce a random ID and store it in the
> > database. Store the ID in a cookie then Redirect the client to the
desired
> > domain. The page the client is redirected to checks to see if the ID
>
> Ok. So then the client has a cookie set for www.domain1.com, when I
redirect
> him to www.domain2.com why would his browser send me the cookie? I think
I'm
> missing something ...

It wouldn't and you're not. :)

Like someone else mentioned, use sessions or something like them. The key is
you're passing a unique id around for each person that logs in. When they go
to another site, this ID must go with them, so that means they can only get
to the other sites through a link or a form where the ID is passed. If they
simply type in the URL for the next domain, they will not be logged in
because the ID is not getting passed.

---John Holmes...

On Monday 29 September 2003 15:58, you wrote:

> Like someone else mentioned, use sessions or something like them. The key
> is you're passing a unique id around for each person that logs in. When
> they go to another site, this ID must go with them, so that means they can
> only get to the other sites through a link or a form where the ID is
> passed. If they simply type in the URL for the next domain, they will not
> be logged in because the ID is not getting passed.

Got it. How about this:

- every login form sets a session ID
- immediately after logging in the user is directed to a page showing that
successful login has occurred. The result screen could could have some
images (or whatever) such as this:

<img src="http://www.otherdomain.com/img/auth.gif?session=2345r8hrfd">

- above example of gif would actually be a script that returns a tiny
(invisible) gif which verifies that the session is valid and sends a cookie
for the new domain if it is. There would be one such embedded image for
each extra domain.

I've been out of web development for a while so it took me a bit to get my
head around this requirement. Does my explanation make sense and seem
feasible?

Thanks
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux

Fraser Campbell wrote:
> Got it. How about this:
>
> - every login form sets a session ID
> - immediately after logging in the user is directed to a page showing that
> successful login has occurred. The result screen could could have some
> images (or whatever) such as this:
>
> <img src="http://www.otherdomain.com/img/auth.gif?session=2345r8hrfd">
>
> - above example of gif would actually be a script that returns a tiny
> (invisible) gif which verifies that the session is valid and sends a cookie
> for the new domain if it is. There would be one such embedded image for
> each extra domain.
>
> I've been out of web development for a while so it took me a bit to get my
> head around this requirement. Does my explanation make sense and seem
> feasible?
>
> Thanks

This would not work for me because I set up my browser to not accept
images from other domains (mostly ad banners). You can use it but you
should still pass the session id in links that point to the other domains.

From: "Fraser Campbell" <fraser@wehave.net>
> On Monday 29 September 2003 15:58, you wrote:
>
> > Like someone else mentioned, use sessions or something like them. The
key
> > is you're passing a unique id around for each person that logs in. When
> > they go to another site, this ID must go with them, so that means they
can
> > only get to the other sites through a link or a form where the ID is
> > passed. If they simply type in the URL for the next domain, they will
not
> > be logged in because the ID is not getting passed.
>
> Got it. How about this:
>
> - every login form sets a session ID
> - immediately after logging in the user is directed to a page showing that
> successful login has occurred. The result screen could could have some
> images (or whatever) such as this:
>
> <img src="http://www.otherdomain.com/img/auth.gif?session=2345r8hrfd">
>
> - above example of gif would actually be a script that returns a tiny
> (invisible) gif which verifies that the session is valid and sends a
cookie
> for the new domain if it is. There would be one such embedded image
for
> each extra domain.
>
> I've been out of web development for a while so it took me a bit to get my
> head around this requirement. Does my explanation make sense and seem
> feasible?

I think this should work. Your effectively starting a session on each domain
at the same time with the same ID. With a limited amount of domains, this
would be an adequate method.

The benifit you get from this is that you don't have to include the session
ID as the user switches domains, because the cookie is already set.

Also, use SID when you need to pass the session id in the URL. It's a
constant made just for that...

<img src="http://www.otherdomain.com/img/auth.gif?<?=SID?>">

---John Holmes...

>Does anyone know of a way to authenticate a person on one site and have
>that authentication carried through to multiple sites?
>
>Basically I'd like to have someone login on www.domain1.com and then have
>their login be valid on www.domain2.com and www.domain3.com ... the
>domain name is different so I don't see how I could use a common cookie.
>
>The 3 sites in question are hosted on a common server with a common user
>database if that helps but still the domain names that people access the
>sites with are unique.

Microsoft performed some crafty redirects to address this issue with
passport. I seem to recall them getting a ton of heat for it two or so
years ago. Not sure if they still do it.

I believe the procedure involved integrating the session data between
passport.com and (e.g.) expedia.com, such that a request to the latter
would return a redirect to the former, and that in turn would generate a
subsequent redirect back to the latter, this time with the Passport ID in
the URL. In this way, microsoft was able to synchronize your ID between
affiliated sites in a reasonably transparent way. It was pretty elegant,
but still struck me as creepy and manipulative. Go figure.

---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html