Loggin a user across different domains

Question

Hello,

two years ago I had to design a system to share authentication data across multiple domains, all of them shared the same server/db. I was able to pull this off with a complex system of cookie sharing which, to date still works.

I'm now in the process of redesigning the system and I was wondering if there are better ways to achieve this without having to write cross domain cookies.

Basically the system MUST do this.

Once logged in one site the user must be logged in all of the other site seamlessly, not only following a link, but even by directly writing the domain name on the address bar.

To my knowledge the only way to achieve this are cross-domain cookies, if there are alternatives please tell me.

Thank you very much

Answer 1

For this you do have to use cookies, but you can vary what you store in the cookie. The cookie doesn't have to contain user credentials but can instead contain something more like a token that you use to "centralize" your sessions.

Easies way would be to let all hosts share a single memcached server and use the content of the users cookie as your key.

Answer 2

My Idea would be to include a login-Javascript from a third domain which gets includet in all sites. This javascript sets and reads the session-cookie and calls the current domains server via ajax with the result. (No validation should be done in the JS - this simply sets and reads the cookie)

If cross domain AJAX does not work, you can still call the thirds domain server which acts like a proxy and calls the current domains server.

Answer 3

The StackOverflow sites have implemented something similar to this. Check out the details at the following links.

Here is a post giving an outline of how they did it.

And here is even more detail.