I have several sites in different domains: example.com
, example.org
, mail.example.com
and passport.example.org
. All of the sites are having common look-and-feel and
should share the same user base.
And in such extreme case I still want all the sites to transparently (as much as possible) share user sessions with the following key properties:
Single sign-on. When user signs on at
passport.example.org
and visits any other site — he should be treated as logged in.Logged in users get “Hello,
$username
“ greeting in site header and differrent navigation menu, listing services they have access to. If he's not signed in, instead of greeting there's a “Sign on” link, pointing topassport.example.org/signon
.The list of trusted domains is known, so this is fairly simple to implement either with OpenID or with some homebrewn lightweight protocol. When user first hits the site, I'm redirecting him to special authentication endpoint at
passport.example.org
, which then silently redirects him back, with identity information (or “not signed on” anonymous identity) included. For most browsers this is completely transparent. Obviously, I'm using nonce values to fight redirection loops.Single sign-off. When user clicks “sign off” in the header of any site the next time he visits any site — he should be seen as “not sign on”.
OpenID was not designed for this. My current idea (I already have a partially-working implementation) is to send not user identity, but “global” session token and share global sessions table (global_session_token ↔ user relation) in DB.
Robots and cookieless-users support. Sites are having public areas, which should be accessible by user-agents without any cookie support.
Because of this, redirection I've mentioned in (1) becomes a problem, because for every single page request, I'll end up throwing user-agent to auth endpoint and back. Not only this will confuse robots, but it will pollute my session database with dead-on-birth sessions very quickly. And I definitely don't want to display “hey, you don't have cookies enabled, go away!” page, that'd be extremly rude and disappointing. While I require cookie support to login, I want users to freely read what the sites are for and so on — without any restrictions.
And I explicitly don't want to put session IDs in URLs except for some transparent cross-domain redirections I've mentioned. I believe doing such is a security problem and just generally a Bad Thing.
And here I'm almost out of ideas.
Okay, I know this is hard, but Google actually does this somehow with (google.com
,
google.
lot‑of‑gTLDs, gmail.com
and so on), right? So this should be
possible.
I'd be grateful for either protocol description ideas (that'd be the best) or links to systems (either code to read or just live sites to watch and learn upon) already succesfully implementing something like this.
To sum it up: Several domains without common root, shared user base, single sign-on, single sign-off, no cookies required to browse anonymously.
All of the sites are on the same network (but rest on different servers) and partially share the same Postgres database (resting in the different schemes of the same database). Most of sites are written with Python/Django, but some of them are using PHP and Ruby on Rails. While I'm thinking of something framework- and language-agnostic, I'm grateful for pointing to any implementations. Even if I won't be able to use them, if I'll get the idea how it's done there maybe I'll be able to come up implementing something similar.