开发者

php session login system

开发者 https://www.devze.com 2023-02-18 11:38 出处:网络
I have a server say \'XYZ\' and many clients of different domain,say A, B and C.authentication is done at server.

I have a server say 'XYZ' and many clients of different domain, say A, B and C. authentication is done at server. - when user comes first time to any of the site, we will ask him to create the account for the site. he will enter email and password. we will sent the data to server and stores thr. now he has account in 'XYZ' so that he can login to any of the site A, B and c.

Next:for example say, He come to site B, to login, he enters email and password. we will take this data to server to verify, if password matches with email, we send status 'Yes' back to client so the he login successfully and go to inner pages.

Because sending email and status 'yes' back to clink is not safe. we are using socket programming. so that outside people will not know what data we are sending and getting 开发者_开发技巧back. because we are using socket, we are not able to create any session or cookies, because we are not opening server site in browser.

I want,like: when user successfully logs into site B. if simultaneously in next tab he goes for site C. he should not asked for to login(should not show login page). he automatically gets logged in(goes to inner pages).


The thing you're looking for is called single sign-on (abbreviated SSO) and it is a hard problem to solve correctly. There are lots and lots of SSO schemes, all of which suck horribly in their own special way.

A major obstacle in the way of your goal is how we normally keep track of logins on the web: cookies. In particular, one domain can only set cookies that belong to it. This means that if your three web sites are on three different domains, you can not have one site set a cookie for the others.

A common way around this is to actually place the authentication service on yet another domain name. Whenever you need to check that a user is logged in, you direct them to that authentication service. A popular unified sign-on mechanism, OpenID, uses this technique. OpenID is what StackOverflow uses.

(If you use the various StackExchange sites, you may have noticed that you can sometimes be automatically logged in to the others after loading a page. I'm still not sure how this works, and haven't investigated yet.)

From what you've described, you'd be well-served by central authentication. You may even find that implementing a system based on OpenID could even work well for your sites... though if you do that, I encourage you to hide the complexity of the whole URIs-as-identities thing, normal end-users are unlikely to understand the concept.


Can you set a cookie in your browser after the user logins in the XYZ site?

So now when the user visits the site A, B or C, you can check whether cookie is set against XYZ domain, and if yes, you can login the user. But note that you can only share cookies across sub domains (of XYZ), not different domains.

0

精彩评论

暂无评论...
验证码 换一张
取 消