Secure Cross-Site Authentication
I am working on multiple sites that I would like to share the same login system (much like Windows Live).
What's the best way to accomplish this via PHP? I thought about creating some sort of web service that you can authenticate against but I'm not sure if that's the best way to go. I've never created a web service in PHP before and it seems quite complex and I was hoping for a simple yet secure and fast way of doing this (Xml serialization and deserialization, IMO, isn't necessary if the site that's authenticating is on the same server so I would prefer to not use this).
Have any of you created a system like this?
Re: Secure Cross-Site Authentication
User goes to Site1, logs in. User then goes to Site2. Do you want the user to be 'automatically' logged in or do you want the user to be able to use the same credentials to login to Site2?
If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.
You can implement a token mechanism in which the user receives a token after being authenticated, which can then be used for subsequent web method calls; the 'lifetime' of the token can be handled by your web service. Or you can go simpler and have the web service authenticate the user and upon success, get the application to write a cookie which the website then uses and checks on every page being accessed.
Re: Secure Cross-Site Authentication
Your problem is not that the two sites may be on different servers. Your problem is that they are, almost inevitably, on different domains.
Solution:
Cross Domain Cookie Provider
Quote:
Originally Posted by mendhak
If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.
:lol:
Re: Secure Cross-Site Authentication
Quote:
Originally Posted by mendhak
User goes to Site1, logs in. User then goes to Site2. Do you want the user to be 'automatically' logged in or do you want the user to be able to use the same credentials to login to Site2?
Automatically would be preferred but is not required.
Quote:
Originally Posted by mendhak
If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.
It's not that PHP is too difficult but some sites may or may not be on the same box so I thought it may increase efficiency to see if something else was available rather than serializing, deserializing, serializing, and finally deserializing all on the same server.
Quote:
Originally Posted by mendhak
You can implement a token mechanism in which the user receives a token after being authenticated, which can then be used for subsequent web method calls; the 'lifetime' of the token can be handled by your web service. Or you can go simpler and have the web service authenticate the user and upon success, get the application to write a cookie which the website then uses and checks on every page being accessed.
When you say token, are you referring to something on the server-side, client-side or both? Cookies could be an issue since it could be not only different servers but different domains.
Quote:
Originally Posted by penagate
Your problem is not that the two sites may be on different servers. Your problem is that they are, almost inevitably, on different domains.
Solution:
Cross Domain Cookie Provider
Thanks I'll take a look at that as well.
Re: Secure Cross-Site Authentication
Quote:
Originally Posted by penagate
:lol:
Laugh it up, RESTboy. :afrog:
Quote:
Originally Posted by kasracer
When you say token, are you referring to something on the server-side, client-side or both? Cookies could be an issue since it could be not only different servers but different domains.
I meant something like a complex string that lasts for x minutes, issued by the web service application; The client application calls various REST methods and always passes that token through. The web service always verifies that token against a list it may have somewhere and if those x minutes are up, the token becomes invalid and the client needs to authenticate again. I believe it may be commonly used in REST services; I'm trying to remember if Flickr uses this mechanism or not. However, this isn't what you were looking for, it seems. The cookie solution would be good if you get that working.
Re: Secure Cross-Site Authentication
Quote:
Originally Posted by kasracer
I am working on multiple sites that I would like to share the same login system (much like Windows Live).
What's the best way to accomplish this via PHP? I thought about creating some sort of web service that you can authenticate against but I'm not sure if that's the best way to go. I've never created a web service in PHP before and it seems quite complex and I was hoping for a simple yet secure and fast way of doing this (Xml serialization and deserialization, IMO, isn't necessary if the site that's authenticating is on the same server so I would prefer to not use this).
Have any of you created a system like this?
If mcrypt is available you can use a digital signature to sign an authentication token. :)
Re: Secure Cross-Site Authentication
Re: Secure Cross-Site Authentication
Well, have you tried getting the creditential data from the same database > table > column.
If the 2nd site is on the same server & account it should work.
I personally havent tried cross-domain authentication.
I didn't fully read the replys so sorry if im just repeating anothers reply.
Re: Secure Cross-Site Authentication
i was looking at windows live and this is how they do it:
AUTH-SITE - login system
SITE-1 - website 1
SITE-2 - website 2
Login to site 1:
SITE-1 > AUTH-SITE > SITE-1
Login to site 2:
SITE-2 > AUTH-SITE > SITE-2
muy simple (very simple)
Re: Secure Cross-Site Authentication
That's what they do, not how they do it.
Re: Secure Cross-Site Authentication
you have to be technical dont you.
A few months ago i wanted to create an app like this, but i didnt. might start it, sound fun.
