Page 1 of 1

Authentication across several domains

Posted: Tue May 15, 2012 7:34 am
by AGISB
I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.

I tried filegetcontents but this doesn't work as the session info is not given to the pagecall.

I understand, that with curl I might get this working, but I need a solution for domains where curl is not available.

Basically I want to call a page on the main domain, that checks if the user is logged in and that displays the usercredentials in that case so the forein domain can use that info. Is this possible at all just using php?

Re: Authentication across several domains

Posted: Tue May 15, 2012 9:38 am
by Grizzzzzzzzzz
By 'several domains', do you mean one main one and then several sub-domains?

in which case look into this:

http://php.net/manual/en/function.sessi ... params.php

Re: Authentication across several domains

Posted: Tue May 15, 2012 11:11 am
by pickle
You should never display credentials, and you should never have them stored to be able to display them.

Re: Authentication across several domains

Posted: Wed May 16, 2012 4:27 am
by AGISB
pickle wrote:You should never display credentials, and you should never have them stored to be able to display them.
I only need username and grouppermissions not the password. This is not really a problem as the connect can be crypted because the domains already use crypted api calls.

I am not talking subdomains but real domains located on different servers here.

I need to check if the user is logged in on the main page or not. My solution for now is to call a counter.php in an iframe that updates a database table with the ip and user agent. I then call the api to check for the ip and useragent in that row and display the info I need. As I said the call is hashed and the info crypted and no password is displayed anyhow.

This however requires 2 page calls to the main domain and I was thinking there might be a way to just do it with one call to lighten the load.

Re: Authentication across several domains

Posted: Thu May 17, 2012 12:21 pm
by x_mutatis_mutandis_x
AGISB wrote:I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.
More or less a Single-Sign-On solution.

Theoritical explanation: You need to have a server, and a broker for it. Server is a page hosted separately, keeps track of sessions, and registered brokers. Brokers are your different sites in different/same domain. Brokers communicate with server to check if user is logged in.

If broker is not registered with the server, you can show an error page (i.e., user cannot even access your login page).

If broker registered with the server, and user is logged in, let him/her into your site (broker). If not, then show login page.

When user submits login, post the data to broker, which makes a curl request to the server sending the credentials. Server validates, authenticates and sets up a session for the user, storing sesion id as cookie on user end, and starts a session with the broker, storing this session_id in broker's session. In that way broker has access to the session_id set by the server for the user (which means can be used in cross domain) to check if user logged in.

Re: Authentication across several domains

Posted: Sat May 19, 2012 2:29 am
by AGISB
x_mutatis_mutandis_x wrote:
AGISB wrote:I am setting up a cross domain authentication system. If logged in on the main domain, it should show logged in on all other foreign domains as well.
More or less a Single-Sign-On solution.

Theoritical explanation: You need to have a server, and a broker for it. Server is a page hosted separately, keeps track of sessions, and registered brokers. Brokers are your different sites in different/same domain. Brokers communicate with server to check if user is logged in.

If broker is not registered with the server, you can show an error page (i.e., user cannot even access your login page).

If broker registered with the server, and user is logged in, let him/her into your site (broker). If not, then show login page.

When user submits login, post the data to broker, which makes a curl request to the server sending the credentials. Server validates, authenticates and sets up a session for the user, storing sesion id as cookie on user end, and starts a session with the broker, storing this session_id in broker's session. In that way broker has access to the session_id set by the server for the user (which means can be used in cross domain) to check if user logged in.
I think I got the theory sorted out, but the solution is the problem, as even your solution had the curl request in it. I always like solutions that are independent from packages that might or might not be installed.