On 2/4/08, Marc Antony Vose <[EMAIL PROTECTED]> wrote: > Hi there: > > I have built a system that consists of one centralized user database, > and a few other things, that have multiple sites around the outside > connecting to it. So, a login on one of the satellites happens > through ajax connecting to a little proxy script on the satellite that > uses curl to perform the actual login remotely. each satellite > resides on its own domain. > > This is all fine, until other people on the project request that > logins be preserved, regardless of which domain the login happened on. > > I know that cookies have domain limitations, and so I'm trying to come > up with a way in my head this can work, and work efficiently and > effectively. Anyone have any ideas? Ever attempted something similar > in the past? > > My first idea is something like that evil facebook script that updates > the feed on status with things people do at other web sites (fandango, > etc.). I suppose if some piece of javascript in the page is loaded > remotely from the central domain, that it could look for a cookie from > the central domain, and call a PHP script that sets a session variable > on the satellite. (The problem I have, of course, is that my login > technically occurs solely on the satellite, even though it connects to > a database remotely, so I will have to rearchitect that somehow; > perhaps forcing the entire login process to run through a JavaScript > loaded from the central server.) > > Does that approach seem feasible?
Hi Marc, If you really care about security this isn't really the kind of thing that you should dream up on your own. What your describing is called "Single Sign-On" or SSO for short. Are your sites on the IntErnet or on an IntrAnet? If your sites are on the IntErnet OpenID is one solution although I don't know what sort of access control it offers such that you can stop anyone with an OpenID account from accessing protected parts of your sites. There's also something called Stanford WebAuth which is Free so you can setup your own isolated auth server. If you're on an IntrAnet there are a lot of products that do this sort of thing. SiteMinder is one that's been around for a long time. Although SiteMinder, Stanford WebAuth and products like it are not *true* SSO since you have to enter your credentials twice - once to login to your workstation and then again with the auth site. With true SSO users never have to enter their credentials at all when they access a site, they just go right on. True SSO is sometimes referred to as Enterprise Single Sign-On. If you want "Enterprise SSO" there's something called SPNEGO authentication which is a special feature of IE and some other browsers like Firefox. Microsoft calls this Integrated Windows Authentication or IWA. IIS supports SPNEGO but PHP can't access much info about the user once your authenticate and of course you have to use a Windows web server. Finally, my company (yes this is a proprietary pitch after all) offers a full featured SPNEGO solution specifically for PHP on Linux and FreeBSD. See sig for details. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
