Remote Authentication?

[roopurt18]

Say a business partnership is made between the makers of Product A and Product B.  Each product has its own authentication system.  What's the best to log a user into both systems when they log into either product?

[corbin]

Are they on the same host?

 

 

Edit:  Oh, based on the title their not.  But, still asking, just in case.

[roopurt18]

No, they're not.

[tibberous]

That really depends on how the systems are setup currently. You could make a new table and keep two copies of it, one on each server. When a user logged in on either system, the server could send a request to the other server to let it know to store a new session record, and the session records could be stored in cookies because they'll expire.

 

So, lets say I log in at Site A. Site A adds me to it's session table, it stores my user id, a timestamp, and a huge hash. Then, it sends all that data to Site B, which makes an identical record. It also stores the hash as a cookie on my computer. Now, whenever I go to either site, it just checks to make sure I have a valid hash, and if I do, I'm logged in.

 

The easiest way to do the server to server communication is probably http requests, that way you don't need anything except Apache (ie: no persistently running socket apps) I think you can use file_get_contents to send get parameters in the URL, but if you want something a lot more robust, Manuel Lemos wrote a CURL alternative that handles get, post and even file transfers.

[GingerRobot]

It also stores the hash as a cookie on my computer

 

Isn't this where that all falls down? You wouldn't be able to set the cookie for the second site.

 

I'm struggling to see a way around that to be honest.

[roopurt18]

I guess site A could embed and iframe pointing to a URL on site B; the URL has any info needed in it and site B sets the cookie.

 

Terribly insecure though.

[The Little Guy]

1 Database, mysql can login to remote databases.

[Daniel0]

1 Database, mysql can login to remote databases.

 

You still have the problem with the cookies.

[roopurt18]

I think I know how this can be done, but I don't like it.

 

User logs into site A and authenticates as normal.  In addition, site A generates a unique hash and sends it to site B along with the user it belongs to.  Site B stores the hash.  In the final output, include an img-tag that points to a script on site B; this script must accept the unique hash generated previously.  The browser will try and load the image and hit the script on site B, which can compare the provided hash to its database.  If the hash is found in the database, site B also starts a session and stores info for the user being logged in.

 

Then site A can link to site B normally and site B should pick up that the user is logged in.  It's messy and I really don't want to implement it though.