Single login to multiple domains

[86Stang]

I've got a slew of websites and I would like to merge their logins into just one.  So, if the user logs in at site1.com, he'll also be logged into site2.com, site3.com and all other sites on my list.

 

I'd appreciate some solid tips on how I can pull this off that DON'T include using OpenID or the like.

[mattal999]

What you would do, is when the user logs in, use a standard cookie on the primary website. This will serve as the login for this particular website. Now, below that login code, add a cURL call to the other website's login script, giving it the username and password through the postdata. Let that script use that information to set an identical cookie for that domain, and do this to as many domains as you wish. Do the same on the other website, and you'll have it sorted.

[86Stang]

Using your method they would be logged in to the other sites by just having the right cookie being present, right?  I'm not a master at this (thus me asking for help lol) but that sounds like a major security issue doesn't it?

[roopurt18]

I had to do something similar for work.  I have two separate web applications which are standalone.  However I needed to "embed" one app into the other.

 

Essentially the user logs into AppA.  They then click on a link to AppB.  AppB actually opens up in an iframe under AppA's navigation menu.  But then AppB presents it's login page.  So how did I solve this?

 

Well since I control both apps I control the login mechanism.  What I did was when I create the link to AppB I include the user's session_id() in the URL.  In AppB I check for the preset session id in $_GET and if it's there I set session_id() before calling session_start().

 

Essentially I'm allowing my users to hijack their own sessions.  I don't know if this will work for you, but it worked in my case.