The SSO solution that I’ve implemented here works as follows:
- There is a master domain,
login.mydomain.examplewith the scriptmaster_login.phpthat manages the logins. - Each client domain has the script
client_login.php - All the domains have a shared user session database.
- When the client domain requires the user to be logged in, it redirects to the master domain (
login.mydomain.example/master_login.php). If the user has not signed in to the master it requests authentication from the user (ie. display login page). After the user is authenticated it creates a session in a database. If the user is already authenticated it looks up their session id in the database. - The master domain returns to the client domain (
client.mydomain.example/client_login.php) passing the session id. - The client domain creates a cookie storing the session id from the master. The client can find out the logged in user by querying the shared database using the session id.
Notes:
- The session id is a unique global identifier generated with algorithm from RFC 4122
- The
master_login.phpwill only redirect to domains in its whitelist - The master and clients can be in different top level domains. Eg.
client1.abc.example,client2.xyz.example,login.mydomain.example