I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.
I tried filegetcontents but this doesn't work as the session info is not given to the pagecall.
I understand, that with curl I might get this working, but I need a solution for domains where curl is not available.
Basically I want to call a page on the main domain, that checks if the user is logged in and that displays the usercredentials in that case so the forein domain can use that info. Is this possible at all just using php?
Authentication across several domains
Moderator: General Moderators
- Grizzzzzzzzzz
- Forum Contributor
- Posts: 125
- Joined: Wed Sep 02, 2009 8:51 am
Re: Authentication across several domains
By 'several domains', do you mean one main one and then several sub-domains?
in which case look into this:
http://php.net/manual/en/function.sessi ... params.php
in which case look into this:
http://php.net/manual/en/function.sessi ... params.php
Re: Authentication across several domains
You should never display credentials, and you should never have them stored to be able to display them.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: Authentication across several domains
I only need username and grouppermissions not the password. This is not really a problem as the connect can be crypted because the domains already use crypted api calls.pickle wrote:You should never display credentials, and you should never have them stored to be able to display them.
I am not talking subdomains but real domains located on different servers here.
I need to check if the user is logged in on the main page or not. My solution for now is to call a counter.php in an iframe that updates a database table with the ip and user agent. I then call the api to check for the ip and useragent in that row and display the info I need. As I said the call is hashed and the info crypted and no password is displayed anyhow.
This however requires 2 page calls to the main domain and I was thinking there might be a way to just do it with one call to lighten the load.
-
x_mutatis_mutandis_x
- Forum Contributor
- Posts: 160
- Joined: Tue Apr 17, 2012 12:57 pm
Re: Authentication across several domains
More or less a Single-Sign-On solution.AGISB wrote:I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.
Theoritical explanation: You need to have a server, and a broker for it. Server is a page hosted separately, keeps track of sessions, and registered brokers. Brokers are your different sites in different/same domain. Brokers communicate with server to check if user is logged in.
If broker is not registered with the server, you can show an error page (i.e., user cannot even access your login page).
If broker registered with the server, and user is logged in, let him/her into your site (broker). If not, then show login page.
When user submits login, post the data to broker, which makes a curl request to the server sending the credentials. Server validates, authenticates and sets up a session for the user, storing sesion id as cookie on user end, and starts a session with the broker, storing this session_id in broker's session. In that way broker has access to the session_id set by the server for the user (which means can be used in cross domain) to check if user logged in.
Re: Authentication across several domains
I think I got the theory sorted out, but the solution is the problem, as even your solution had the curl request in it. I always like solutions that are independent from packages that might or might not be installed.x_mutatis_mutandis_x wrote:More or less a Single-Sign-On solution.AGISB wrote:I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.
Theoritical explanation: You need to have a server, and a broker for it. Server is a page hosted separately, keeps track of sessions, and registered brokers. Brokers are your different sites in different/same domain. Brokers communicate with server to check if user is logged in.
If broker is not registered with the server, you can show an error page (i.e., user cannot even access your login page).
If broker registered with the server, and user is logged in, let him/her into your site (broker). If not, then show login page.
When user submits login, post the data to broker, which makes a curl request to the server sending the credentials. Server validates, authenticates and sets up a session for the user, storing sesion id as cookie on user end, and starts a session with the broker, storing this session_id in broker's session. In that way broker has access to the session_id set by the server for the user (which means can be used in cross domain) to check if user logged in.