Secure Cross-Site Authentication

[Kasracer]

I am working on multiple sites that I would like to share the same login system (much like Windows Live).

What's the best way to accomplish this via PHP? I thought about creating some sort of web service that you can authenticate against but I'm not sure if that's the best way to go. I've never created a web service in PHP before and it seems quite complex and I was hoping for a simple yet secure and fast way of doing this (Xml serialization and deserialization, IMO, isn't necessary if the site that's authenticating is on the same server so I would prefer to not use this).

Have any of you created a system like this?

[mendhak]

User goes to Site1, logs in. User then goes to Site2. Do you want the user to be 'automatically' logged in or do you want the user to be able to use the same credentials to login to Site2?

If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.

You can implement a token mechanism in which the user receives a token after being authenticated, which can then be used for subsequent web method calls; the 'lifetime' of the token can be handled by your web service. Or you can go simpler and have the web service authenticate the user and upon success, get the application to write a cookie which the website then uses and checks on every page being accessed.

[penagate]

Your problem is not that the two sites may be on different servers. Your problem is that they are, almost inevitably, on different domains.

Solution:
Cross Domain Cookie Provider

If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.

[Kasracer]

User goes to Site1, logs in. User then goes to Site2. Do you want the user to be 'automatically' logged in or do you want the user to be able to use the same credentials to login to Site2?

Automatically would be preferred but is not required.

If it's the latter, consider the web service idea. If PHP is too difficult for this, you always have ASP.NET.

It's not that PHP is too difficult but some sites may or may not be on the same box so I thought it may increase efficiency to see if something else was available rather than serializing, deserializing, serializing, and finally deserializing all on the same server.

You can implement a token mechanism in which the user receives a token after being authenticated, which can then be used for subsequent web method calls; the 'lifetime' of the token can be handled by your web service. Or you can go simpler and have the web service authenticate the user and upon success, get the application to write a cookie which the website then uses and checks on every page being accessed.

When you say token, are you referring to something on the server-side, client-side or both? Cookies could be an issue since it could be not only different servers but different domains.

Your problem is not that the two sites may be on different servers. Your problem is that they are, almost inevitably, on different domains.

Solution:
Cross Domain Cookie Provider

Thanks I'll take a look at that as well.

[mendhak]

Laugh it up, RESTboy.

When you say token, are you referring to something on the server-side, client-side or both? Cookies could be an issue since it could be not only different servers but different domains.

I meant something like a complex string that lasts for x minutes, issued by the web service application; The client application calls various REST methods and always passes that token through. The web service always verifies that token against a list it may have somewhere and if those x minutes are up, the token becomes invalid and the client needs to authenticate again. I believe it may be commonly used in REST services; I'm trying to remember if Flickr uses this mechanism or not. However, this isn't what you were looking for, it seems. The cookie solution would be good if you get that working.

[visualAd]

I am working on multiple sites that I would like to share the same login system (much like Windows Live).

What's the best way to accomplish this via PHP? I thought about creating some sort of web service that you can authenticate against but I'm not sure if that's the best way to go. I've never created a web service in PHP before and it seems quite complex and I was hoping for a simple yet secure and fast way of doing this (Xml serialization and deserialization, IMO, isn't necessary if the site that's authenticating is on the same server so I would prefer to not use this).

Have any of you created a system like this?

If mcrypt is available you can use a digital signature to sign an authentication token.

[lunchboxtheman]

OpenID.net

[Killsoft69]

Well, have you tried getting the creditential data from the same database > table > column.

If the 2nd site is on the same server & account it should work.
I personally havent tried cross-domain authentication.
I didn't fully read the replys so sorry if im just repeating anothers reply.

[dclamp]

i was looking at windows live and this is how they do it:

AUTH-SITE - login system
SITE-1 - website 1
SITE-2 - website 2

Login to site 1:
SITE-1 > AUTH-SITE > SITE-1

Login to site 2:
SITE-2 > AUTH-SITE > SITE-2

muy simple (very simple)

[visualAd]

That's what they do, not how they do it.

[dclamp]

you have to be technical dont you.

A few months ago i wanted to create an app like this, but i didnt. might start it, sound fun.