0

I have two websites I want to connect through one login page on the master site.

You login in example1.com and on the settings i want to select "connect to example2.net automatically" I enter the user name and password and submit this to example2.net so the username and password is sent over

How would I do this?

Next whenever I am logged into example1.com and click access to example2.net i only want to send a username and API key over so its automatically logged in.

How would i do this?

Josh Naylor
  • 253
  • 1
  • 5
  • 12
  • Store the username and password in a session variable or you could store them in a cookie and send it over. – ewein Aug 13 '12 at 13:20
  • Thanks for your response. Which of these would you say is most secure? also what kind of command would i use to actually send it over site? – Josh Naylor Aug 13 '12 at 13:23
  • use CURL to post the login details to example2.net. read the php docs for more info. if you get stuck show some code and we'll work it out – Vlad Balmos Aug 13 '12 at 13:23
  • [This](http://www.jasny.net/articles/simple-single-sign-on-for-php/) is a very good start. – Adi Aug 13 '12 at 13:25
  • IMO the best thing is to handle the login operations in one master domain. As described in http://stackoverflow.com/questions/2510049/cross-domain-login-what-to-store-in-the-database – Tchoupi Aug 13 '12 at 13:25

2 Answers2

2

Here's a quick algorithm

  1. User logs in to site1.com and activates Single-Sign-On (maybe a checkbox).
  2. site1.com will create a database entry for that option.
  3. User visits site2.com and if not already logged in he will be redirected to site1.com/cross-authenticate.php for example.
  4. site1.com will have access to the cookie/session.
  5. If the user has activated the Single-Sign-On option, site1.com will generate a token (maybe base64 a very large and securely generated number) and stores it in the database.
  6. site1.com will redirect the user to site2.com/cross-authenticate.php?key=fnapsoufhapoer8hwf9ehrgdosughpa9dhg9aer8gyesrg for example.
  7. site2.com will check the database for that key, authenticate the user then start a valid session.
Adi
  • 5,089
  • 6
  • 33
  • 47
0

Save the $_SESSION and such in a database. Then check if the connection option from one site to the other is SET. If so, when the user uses the other website, query the database (against a username or whatnot). If the entry exists, create cookies & sessions based on the database values, otherwise re-route the user back to login page.

Yan Berk
  • 14,328
  • 9
  • 55
  • 52
mlishn
  • 1,689
  • 14
  • 19
  • Bad idea. Very bad idea! How are you planning to authenticate the user on the second site? By username? – Adi Aug 13 '12 at 13:29
  • @Adnan i dont know how his website is structured. Obviously it wouldn't just be by `username` (thats just the simpliest example I could think of) – mlishn Aug 13 '12 at 13:32
  • 1
    I'm authenticating through username and API key. – Josh Naylor Aug 13 '12 at 13:34