views:

29

answers:

2

I have a network of sites. Some of them as subdomains and other as domains. I want to create a central login place for all my users like http://login.example.com/ where they can log in. I have a sign in link on all the sites which the user can click to sign in. If they sign in once, they should be transparently logged in to all all other sites as well. I would also want to get them logged off the entire network if they log off on one site I do not want to send them back to http://login.example.com/ when they go to a different site of the network. Is it possible to implement this? Can oAuth or OpenId help me with this? How can I implement such a solution referably in Python using Django? Is it possible to implement this securely without using SSL?

+1  A: 

When the user has successfully logged in, put auto-sending forms which login him on all the other sites that target iframes on the page he sees next. Alternatively, if a session-id is valid across all domains, put images on the page he sees next that point to URLs like "domain5.example.org/setcookie?cookie=65277af767fea" which return Set-Cookie-headers.

thejh
Can you please explain in this in a bit more detail?
Shubh
I am concerned because http://stackoverflow.com/questions/1043111/transparent-user-session-over-several-sites-single-sign-on-single-sign-off/1057199#1057199 shows a pretty big solution.
Shubh
@Shubh: That's another way, but I think that you don't have to do it that complicated.
thejh
+1  A: 

Here's one example of how this can work. When a Wikipedia (en.wikipedia.org) editor logs in, images are loaded from Wikipedia's sister sites such as Wiktionary (en.wiktionary.org), Wikinews (en.wikinews.org), and others. The images' URLs contain query strings as tokens that prove that the user is logged in, and that way, the server can set cookies on all the main domains that it needs to (working like ad networks' user tracking).

Create an account on Wikipedia if you want to see it in action. Hint: Wikipedia has many different sites for different languages, but it only has to set one cookie for itself because all of the different languages are subdomains under the same domain (wikipedia.org).

idealmachine
OK. Are there any downsides to this method?
Shubh
I am concerned because http://stackoverflow.com/questions/1043111/transparent-user-session-over-several-sites-single-sign-on-single-sign-off/1057199#1057199 shows a pretty big solution.
Shubh
One is that Safari ships with a conservative cookie policy. It might be necessary in that browser for users to log in to each site separately (although the same usernames/passwords can be used).
idealmachine