Multi-site login ala Google.

Question

Not sure if the title is quite right for the question but I can't think of any other way to put it..

Suppose you wanted to create multiple different web apps, but you wanted a user who was logged into one app to be able to go straight to your other app without re-logging in (assuming they have perms to look at the other app as well). If I'm not mistaken, if you're logged into gmail you can go straight to your iGoogle, googleReader, etc without re-logging in (if you set it up right).

How would you approach this? What would you use? Assume the apps already exist and you don't want to change the initial login page for the users.

Answer 1

You would issue a cookie against foo.com, which would then be visible on app1.foo.com, app2.foo.com.

Each application can then use the cookie to access a centralised authentication system.

Answer 2

What you're looking for is called Single Sign On. If you follow the link you'll find several implementations.

Open ID as others have mentioned is not such a scheme as it requires a seperate login for each site. Open ID is merely a shared authentication system.

Answer 3

As mentioned you can use something like OpenId or similar to make the process simple. Otherwise if you roll your own you could use a cookie to store the login, then basically ALL applications must have an entry point that mimics the base url.

Google for example uses mail.google.com to as a pipline into Gmail which allows it to read a cookie stored with the google.com domain.

Answer 4

What you want is a single sign-on (SSO).

There are two approaches to solving this problem:

1. Roll your own implementation. In its most trivial form it can be implemented by the first site setting a cookie that holds the ticket for the logged on user and the second site verifying that ticket and accepting the logged on user. There are quite a lot of potential pitfalls here:

   • you have to protect yourself against information disclosure - make sure that the ticket does not contain the actual user credentials
   • you have to protect yourself against spoofing - a man in the middle stealing a valid ticket and impersonating one of your users
   • and others

2. Adopt a third party SSO mechanism. Google, Microsoft, Facebook and other big companies allow integrating with their identity providers, so that your users could log on to their website and they handle verification, ticket issuing and so on. There's also OpenID, which is an open protocol you can use to enable SSO on your site through virtually any identity provider that supports OpenID. The potential drawback here is that somebody else controls your access to your user identity and can limit the features you can offer and data you can mine for your users.

Answer 5

Try CAS it should provide the features you are looking for.