SSO between different websites

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Is it possible to achieve a single sign-on between 2 different websites
having 2 different domain names & hosted on 2 different hosts?

I.e. you login to site1. Then click on on a link on site1 which takes you to
site2 & logs you in automatically to site2.

Assuming you have control of both websites, how can this be done?

Re: SSO between different websites

KJ schreef:
Quoted text here. Click to load it


If you are talking about session sharing: yes that is possible.
But all websites/machines that join the party must share their sessions
with each other.
I think the easiest way to implement this is using a database for
sessionstorage (you can write a custom sessionhnadler function) and make
sure all participating websites use the same database.

You also must make sure that the cookies that hold PHPSESSID all hold
the same token.
This can be accomplished in several ways. Here is an ugly one: When
signing on on a certain site:
1) PHP starts a session. It return the PHPSESSID to the client.
2) Client calls (via normal http request) certain pages at the other
domains, passing its PHPSESSID, eg:
open them in new windows, or use AJAX, as long as the cookies get set.

Where setMySess.php accepts the passed SID and stores that in a cookie.
That way all domains have the same PHPSESSIONID.

If you like to rotate PHPSESSID you'll have to do this every request,
which is horrible, so don't.

If the sites you are talking about have high security restrictions, be
sure to review my above approach in detail. Even tough I suggested it, I
don't trust it completely.

Erwin Moller

"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare

Re: SSO between different websites

On Apr 23, 10:35=A0am, Erwin Moller
Quoted text here. Click to load it

No - that's one way to implement a SSO solution but implies a very
high level of trust between the 2 sites. SSO merely implies
authentication and to a certain extent session management (which is
somethnig different from session data).

Without sharing the session, the simplest way to approach the problem
is to have a third vhost to handle the authentication, then on your
applications do something like the following (which could be
implemented via autoprepend).

    if (!$_SESSION['authenticated_user']) {
       if ($_GET['auth_token']) {
           if ($user=3Ddecrypt($_GET['auth_token'])) { // complement of
encrypt on sso - e.g. using shared secret and symmetric encryption
           } else {
              print "invalid token passed from SSO vhost";
       } else { // user tried to access page without authenticating -
send to SSO with return address
           header('Location:' .
    // if we got here, then $_SESSION['authenticated_user'] holds a
valid username.



Re: SSO between different websites


on 04/23/2010 06:13 AM KJ said the following:
Quoted text here. Click to load it

You can use OpenID protocol for that. Coincidentally I am implementing
OpenID in site to solve the same problem.

There is a OpenID client class here, but I am implementing the client
and server classes from scratch because I want to migrate existing
accounts. I may publish my classes later.


Manuel Lemos

Find and post PHP jobs /

PHP Classes - Free ready to use OOP components written in PHP /

Site Timeline