You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Will Hartung <wi...@msoft.com> on 2003/12/02 19:30:56 UTC
Cross site "single sign on"
Hi all!
Not necessarily Tomcat specific, but I'm curious what others may have done
to support cross site single sign on.
The basic problem is that customer goes to site A, and logs in. Then while
navigating that site, they eventually head over to site B.
Of course when they hit site B, the customer should already be "logged in".
If site A and site B live in the same domain space (say, site.com and
b.site.com), then a "site.com" cookie should be able to be used as a token
that show login. Of course, this requires cookies. It also requires both
sites to "maintain" the cookie if the cookie is allowed to expire (say, it's
only useful for 30 minutes).
However I think this would have to be a "signed" cookie, where both
participating servers encrypt to cookie with a known key (perhaps a shared
public key).
Now, if you have sitea.com and siteb.com, then the cookie technique can't
work (as neither can set a cookie for the other). So, I'm thinking that you
can do something similiar, a signed token, in a hidden field and then having
to submit a form to get to the new site.
Of course, you can always stick the token on the URL as well.
Does that sum it up? Any other ways for cooperating sites to "transparently"
exchange credentials? I suppose the back ends can do it. Send signed packets
to each other during their log in processes to notify cooperating services.
But if your logins "time out", you still need to constantly update the
session information. It's not enough to know that "Bob signed in at 10am,
and expires at 10:30". If Bob actively uses the site, you want the time out
to be since last activity.
How are others doing this and what have you found effective?
Regards,
Will Hartung
(willh@msoft.com)
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Cross site "single sign on"
Posted by Tim Funk <fu...@joedog.org>.
Sounds like pubcookie:
http://pubcookie.org/
-Tim
Will Hartung wrote:
> Hi all!
>
> Not necessarily Tomcat specific, but I'm curious what others may have done
> to support cross site single sign on.
>
> The basic problem is that customer goes to site A, and logs in. Then while
> navigating that site, they eventually head over to site B.
>
> Of course when they hit site B, the customer should already be "logged in".
>
> If site A and site B live in the same domain space (say, site.com and
> b.site.com), then a "site.com" cookie should be able to be used as a token
> that show login. Of course, this requires cookies. It also requires both
> sites to "maintain" the cookie if the cookie is allowed to expire (say, it's
> only useful for 30 minutes).
>
> However I think this would have to be a "signed" cookie, where both
> participating servers encrypt to cookie with a known key (perhaps a shared
> public key).
>
> Now, if you have sitea.com and siteb.com, then the cookie technique can't
> work (as neither can set a cookie for the other). So, I'm thinking that you
> can do something similiar, a signed token, in a hidden field and then having
> to submit a form to get to the new site.
>
> Of course, you can always stick the token on the URL as well.
>
> Does that sum it up? Any other ways for cooperating sites to "transparently"
> exchange credentials? I suppose the back ends can do it. Send signed packets
> to each other during their log in processes to notify cooperating services.
>
> But if your logins "time out", you still need to constantly update the
> session information. It's not enough to know that "Bob signed in at 10am,
> and expires at 10:30". If Bob actively uses the site, you want the time out
> to be since last activity.
>
> How are others doing this and what have you found effective?
>
> Regards,
>
> Will Hartung
> (willh@msoft.com)
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org