At 11:37 PM 9/7/00 -0600, Joe Pearson wrote:
>I thought you could set a cookie for a different domain - you just can't
>read a different domain's cookie. So you could simply set 3 cookies when
>the user authenticates.
I don't think you can set a cookie for a completely different domain, based
on my reading of RFC2109 and some empirical tests ... it would be a massive
privacy/security hole, yes ?
- Simon
>Now I'm curious, I'll need to try that.....
>
>--
>Joe Pearson
>Database Management Services, Inc.
>208-384-1311 ext. 11
>http://www.webdms.com
>
>-----Original Message-----
>From: Aaron Johnson <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>Date: Thursday, September 07, 2000 10:08 AM
>Subject: [OT?] Cross domain cookie/ticket access
>
>
> >I am trying to implement a method of allowing access to three separate
> >servers on three separate domains.
> >
> >The goal is to only have to login once and having free movement across
> >the three protected access domains.
> >
> >A cookie can't work due to the limit of a single domain.
> >
> >Has anyone out there had to handle this situation?
> >
> >I have thought about several different alternatives, but they just get
> >uglier and uglier.
> >
> >One thought was that they could go to a central server and login. At
> >the time of login they would be redirected to a special page on each of
> >the other two servers with any required login information. These pages
> >would in turn return them to the login machine. At the end of the login
> >process they would be redirected to the web site they original wanted.
> >
> >This is a rough summary of what might happen -
> >
> >domain1.net - user requests a page in a protected directory. They
> >don't have a cookie.
> >They are redirected to the cookie server. This server asks for the user
> >name and pass and authenticates the user. Once authenticated the cookie
> >server redirects the client to each of the other (the ones not matching
> >the originally requested domain) domains. This redirect is a page that
> >hands the client a cookie and sets up the session information.
> >domain2.net gets the request and redirects the user to a page that will
> >return them to the cookie machine which will add the domain2.net to the
> >list of domains in the cookie. And then the process will repeat for each
> >domain that needs to be processed.
> >
> >Am I crazy? Did I miss something in the documentation for the current
> >Session/Auth/Cookie modules?
> >
> >I did some hacking of the Ticket(Access|Tool|Master) Example in the
> >Eagle book, but the cookie limit is keeping it from working correctly.
> >( BTW: I already use it for a single server login and it works great. )
> >
> >Any information would be appreciated.
> >
> >Aaron Johnson
> >
> >
-----------------------------------------------------
Simon Rosenthal ([EMAIL PROTECTED])
Web Systems Architect
Northern Light Technology 222 Third Street, Cambridge MA 02142
Phone: (617)621-5296 : URL: http://www.northernlight.com
"Northern Light - Just what you've been searching for"