Cookie and session transfer to another domain

Tell me how, once logged in, log in to different domains?


Answer 1, authority 100%

Well then. You can stir up as an option, of course, this –
enter one site. It has a counter from other sites at the bottom (counter or picture – it doesn’t matter). Its address is done as follows – http://-/-.php?login=&pass= 5, getting this from the password, the script checks (on one of the sites, on which you need to log in) and then you can run between them.


Answer 2, authority 100%

You don’t need to pass authentication data. Leak – write wasted. It’s better to pass session data, leaking is much safer in this case. At the same time, it allows you to implement not only single sign-on (single entry), but also single sign-out (single exit).

I will consider the case where all sites have a single client base and there is only one site (out of the heap) where the client registers-authenticates-authorizes. For a situation with a distributed, decentralized user base, this method is not suitable.

Rough description:

  1. Two domains, in different TLDs: example.org and example.com
  2. Authentication goes to example.org.
  3. Both sites have access to a common session server (it can be a specialized solution such as RADIUS, a database, or one of the sites)
  4. When visiting example.comsend the user to some example.org/a12n?return_uri=http://example.com/
  5. Our example.org handles authentication. If necessary, it shows the login form and requires authorization; if not, it creates an anonymous session (if the site needs anonymous names).
  6. The session created by example.org is stored on the session server. The session is identified by some unique value (ID), which is difficult to pick up (entropy generators to help). The session ID is stored in cookies example.org.
  7. Redirect the client back to example.com, adding the ?auth.data=<ID >parameter to the address. For security, it is better to encrypt the ID with any good symmetric algorithm that is resistant to known-plaintext attacks, and sign it, mentioning the time at which this ID was issued, and some nonce value (to protect against replay attacks).
  8. Our example.com sees the auth.dataparameter, checks with the session server that such a session exists and is correct (here it learns who the user is), saves the session ID in cookies, and does redirect to itself, to the same address, but without auth.data.
  9. As a result, both sites have a session ID (which, in general, can be unique for each site, and just refer to the same session). Task completed, single sign-on implemented.
  10. To implement single sign-out, any of the sites (preferably one, the same one that also handles sign-in) marks the session as closed, or deletes it. Since all sites rely on a single session server, the session will be closed everywhere.
  11. At some stage it is worth checking if the client accepts cookies, so as not to drive it into an endless loop (and not to generate a bunch of sessions).

Strictly speaking, this is such a “under-OAuth2”. You can, by the way, take OAuth, it will even be more correct. The logic, in a general sense, is the same – all the same tokens.

For simplicity, so that there are fewer abstractions – a variant of the device:

  1. The session server is a regular relational database with SQL.
  2. All sites have the same owner and the session ID is the same on all sites.
  3. Session check – in the middleware of each site do SELECT user_id FROM shared_sessions WHERE id = :session_id AND closed IS NULL.
  4. Creating and closing a session is obvious, I think.

Answer 3, authority 33%

In principle, you can use the Curl + Jquery library.
When authorizing – send data to the script via jQuery – and then send authorization data to another domain via Curl.


Answer 4

Well, globally, you can have one domain purely for authorization. For example, auth.mysite.ru. And then sites with other domains will simply query the site with the authorization domain, sending it a login and password (both through web forms and through cookies) and receiving an answer – is the user authorized or not.


Answer 5

You can save authorization in the database, and check it on all domains.