Click here to Skip to main content
16,016,024 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Dear page,

I read many articles of page about SSO for cross - domain. They are very helpful and very nice, but I have a question that when the site www.domain1.com uses the account user1 for logging and the site www.domain2.com uses the account use2, so what happen when we refresh the site www.domain3.com, when two cookies are created, what is the cookie the site domain3.com get? and why? Can you explain for me,
Thank you for your reading,

Best regards,

Jimmy
Posted

1 solution

I think you might be missing a piece of the puzzle. I'm going to generalize a bit here because you can write a book on this (in fact, people have!).

A critical component to implementing single sign on (SSO) is the need for an SSO provider. There are many implementations for this (OAuth[^], OpenID[^], Facebook[^] to name a few) and your application(s) will interact with this provider to authenticate this user. The way you authenticate the user will greatly depend on how the provider is implemented. There are RFC standards for things like OAuth, but people don't always adhere to the rules. :)

Typically, you will get back some sort of security token that is proof the user is authenticated. Now, you need to store that token to validate the user on subsequent requests. Typically, this is stored on the client side in the form of a cookie. This is where it gets fun. Depending on the provider depends on if you are setting the cookie or if the providers website is setting the cookie. I believe the way Facebook does theirs is they set the cookie and they provide a piece of JavaScript or a web part that allows your web page to recognize they are logged in and authenticated. You many need to double check that one.

The last piece of the puzzle is you don't want to the SSO cookie to expire before the SSO token expires. This allows them to reuse the token regardless of how often your site deploys or is refreshed and all session data is lost.

So in a nutshell, the provider you are working with will dictate the rules of engagement when implementing SSO and authenticating the users. Going back to your question on which cookie will doman3.com use? The cookie that comes from the SSO provide. Where and how this is set is determined by the provider. I've personally worked with Microsoft's Active Directory Federated Services (ADFS) which is their SSO solution. The ADFS set the cookie for us and our application simply made a call to the ADFS server with returned token to validate the token was still good.

My next suggestion would be select a SSO provider and research how it works. You can also go to your favorite site for buying books and search "single sign on" and find a lot of supplemental material.
 
Share this answer
 
Comments
Minh Rino 17-Jul-15 8:49am    
For example, I need to implement SSO for 4 sites 1 2 3 4, I want to set the default cookies for 3rd site and 4th site such as the site 3 will get the cookie according to site 2 and site 4 is site 1. So, how can I do that? what fuction of cookie help us to do this?

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900