I implemented a system very similar to this in in sso.module. See http://cvs.drupal.org/viewcvs/drupal/contributions/modules/sso/Attic/ sso.module?rev=1.2&hideattic=0&view=log. It was an experiment of mine, and to my knowledge not yet tested on a pod of production sites. It is unmaintained, by now. -moshe On Apr 23, 2005, at 11:02 PM, Allie Micka wrote:
This would be exceedingly useful for us as well. But you don't want to rely on PHPSESSID because (hopefully) the various sites do not have access to the same session info. Additionally, a site can't set a cookie for another domain. You can set a cookie that works on various subdomains ( a.drupal.org, b.drupal.org, etc.) but that's nowhere near flexible enough.
One way to do this is to query a central site for logged-in status:
- A user preference on each site includes a "log me into the network" option. This sets a persistent cookie on the user's machine that represents some kind of universal id for them.
- Upon successful authentication on a network site, the logged-in status is reported to the central server for that universal id.
- When a user attempts to authenticate, check for the presence of that cookie. If it exists, query the central server to see if that id has been logged in somewhere else
- During subsequent hits and/or login status changes, the central site is notified of the users' status.
notes:
This has usability issues, which would have to be identified and addressed.
It sounds shockingly insecure, but can be made "good enough" through the use of SSL, session cookies, secure hash and shared secrets among the network sites.
The persistent cookie is a definite problem for multi-user systems. Off the top of my head, I don't know a way around it.
I think it would be a good idea to provide administrators who use one Drupal installation for multiple sites and share users and sessions across those sites (via $db_prefix) with a new option that would let users who log into one of the sites to be automatically logged into some or all of the other companion sites.
I'm envisioning this working by adjusting user_login() function in user.module. Once a login is successful, have the function send out PHPSESSID cookies for the desired sites, each containing the same session id.
Your thoughts?
I've been thinking about implementing this feature. But there is always this lack of time...
Cheers, Gerhard
Allie Micka pajunas interactive, inc. http://www.pajunas.com/
scalable web hosting and open source solutions