Basically yes. If you don't want to (or can't) have the client carry some state with it, then you're pretty much locked into using a central database to store cross site session data. There's just no other way for site B to know that the user authenticated successfully with site A without site A and site B sharing data.
I had once explored this method, client wanted something like passport login, used by hotmail. There were about 30 tlds, and the client needed a single signon, what we did was to maintain one single authentication table, and update that with the userdata and a cookie hash. Each domain also had a session validator, that just fetched the data from the central table and stored into the php sessions, using php http client class. The user data would be fetched only if the data is not existing in the session, and the cookie hash is received. -- Jiju Thomas Mathew http://www.php-trivandrum.org
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
