Daniel Little wrote: > > From: Mark Maunder [mailto:[EMAIL PROTECTED]] > > > > > Here's one idea that worked for me in one application: > > > > > > 1) assume that all hosts share the same domain suffix: > > > > > > www.foo.com > > > www.eng.foo.com > > > www.hr.foo.com > > > > > > 2) Define a common authentication cookie that is sent to *.foo.com. > > > This cookie could might contain the following information: > > > > > > username, timestamp > > > > The only way I could come up with, was to have the browser > > redirected to every domain name with an encrypted uri variable > > to prove it is signed on which causes each host included in > > the single sign on to assign an auth cookie to the browser. > > > > So the browser is logged into foo.com, bar.com baz.com and > > boo.com by logging into foo.com which assigns a cookie and > > redirects to bar.com which assigns a cookie and redirects > > it to baz.com which assigns a cookie and redirects it to > > boo.com which assigns a cookie and redirects it back to > > foo.com. It has now collected all cookies required for > > signon to all domain names and is logged into all of them. > > An alternative to this scheme - and depending on how much control you have > over the applications / servers at each end - is to do this in a delayed > fashion. The only time you really need to get authenticated at each server > is when the browser is sent off to the new site. Instead of redirecting the > browser to the new site directly, it sends it to a script on the server that > they are currently connected to (and therefore already authenticated with) > which requests a 'transition' token of some kind from the authentication > server. The transition token then is used to transfer them to the requested > server, which based on the token, does a lookup on the authentication server > to find out if its a valid transition token, and if so, generates a new > cookie for them (if necessary) and logs them into the site. >
This assumes they dont just type in the url of the other site they want to visit manually. It limits the user to visiting sites via links on sites they are currently logged on to.
