Implementing Single Sign On in PHP

Can anyone point out what the obvious flaws with this approach would be, as I am sure there will be some...

1. User tries to access restricted area on 'original box'
2. User is not logged in, so is redirected to 'secure box'
3. User logs in via LDAP using SSL & ldaps
4. Session is created on 'secure box'
5. User is redirected back to 'original box'
6. 'original box' does a file_get_contents to session.php on 'secure box'
7. 'secure box' checks for valid session, and if present returns username and some extra info as xml (obviously no password info)
8. 'original box' uses xml to create local s开发者_StackOverflowession
9. User is allowed to progress through protected area with each page view checking 'secure box' for valid session

---

I don't get why you use file_get_content(); instead of include/require.

Why do you need to get the content of "session.php" at all? Couldn't you simply use $_SESSION['myVar']; to get the session infos you need?

---

1. to pass data serialize object(from session class)?
   or alternatively serialize array containing what you need.

2. to transfer the data and keep them accurate
   memcached (which might get updated by any site ie. expired session, logout)
   [no]SQL server (can be ReadOnly for services using SSO)
   text file on 'secure box' (assuming it doesn't contain any sensitive data)

btw: SSO system purpose is to only validate the user credentials. No groups etc.
usually either returns redirect or username(using https check)...

make sure you use SSL trust between them to verify if the service is allowed to use sso, or for service if someone is fake-ing the 'secure box'.