[ACCEPTED]-Cross domain cookies-single-sign-on

Accepted answer
Score: 33

There is absolutely no way for domain.com 10 to set a cookie for domain1.com. What you 9 are attempting to do can only be solved 8 by getting the user's browser to submit 7 requests to each domain which will then 6 set its own cookie.

Then you need a way 5 for each domain to verify the user's identity. There 4 are two approaches to this:

  1. Back channel - the sites contact each other directly to determine if a user is logged in.
  2. Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.

It's really quite 3 complicated. I suggest you don't roll your 2 own. Take a look at SimpleSAMLPHP for a PHP implementation 1 of what I'm describing.

Score: 6

What you're attempting can't be done. (It's 6 a browser security issue, not a PHP one.)

Other 5 than using some form of off-site authentication, the 4 nearest you can achieve is making a cookie 3 accessible across sub-domains, in which 2 case you just use the optional 'domain' arg 1 of PHP's set_cookie function.

Score: 6

This can be done via one domain acting like 24 a master and others like a slave.

Say we've 23 got a domain accounts.domain.com and it's 22 our master.

Then we've got our slaves domain.com, something.com and 21 another.com

When you'll log on on domain.com, it'll 20 be actually site accounts.domain.com, then you'll get a cookie 19 with unique ID for your browser and then 18 you'll be redirected to domain.com's post-logon 17 landing page (ie. domain.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>). the landing page will 16 contact the accounts.domain.com, querying it with the browser 15 ID. If the transaction's okay, then you'll 14 get logon cookie from domain.com.

Next, on every domain 13 (domain.com, something.com and another.com) will be initial redirect to accounts.domain.com/roaming-check?return-url=<URL the redirect was initiated from>. Because 12 we're returning home (we're logged already 11 on accounts.domain.com), we'll be redirected again on our landing 10 page (<domain name>.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>) and from this point it's the same 9 as the part with logging on. We're seamlessly 8 roamed to another domain (without user knowing 7 it as browsers doesn't usually show the 6 redirected page until it passed the headers 5 send(server)/receive(browser) section).

In 4 case there's in fact no active logon, the 3 site will save this "negative logon" to 2 session and not try to check logon anymore 1 (until we try to logon or load another domain).

Score: 4

I think this solution will suit your needs: "Simple Single Sign-On for PHP"


More Related questions