[drupal-devel] login once for multiple sites

Allie Micka allie at pajunas.com
Sun Apr 24 03:02:54 UTC 2005 

This would be exceedingly useful for us as well.  But you don't want to 
rely on PHPSESSID because (hopefully) the various sites do not have 
access to the same session info.  Additionally, a site can't set a 
cookie for another domain.  You can set a cookie that works on various 
subdomains ( a.drupal.org, b.drupal.org, etc.) but that's nowhere near 
flexible enough.

One way to do this is to query a central site for logged-in status:

- A user preference on each site includes a "log me into the network" 
option.  This sets a persistent cookie on the user's machine that 
represents some kind of universal id for them.

- Upon successful authentication on a network site, the logged-in 
status is reported to the central server for that universal id.

- When a user attempts to authenticate, check for the presence of that 
cookie.  If it exists, query the central server to see if that id has 
been logged in somewhere else

- During subsequent hits and/or login status changes, the central site 
is notified of the users' status.

notes:

This has usability issues, which would have to be identified and 
addressed.

It sounds shockingly insecure, but can be made "good enough" through 
the use of SSL, session cookies, secure hash and shared secrets among 
the network sites.

The persistent cookie is a definite problem for multi-user systems.  
Off the top of my head, I don't know a way around it.

>> I think it would be a good idea to provide administrators who use one
>> Drupal installation for multiple sites and share users and sessions 
>> across
>> those sites (via $db_prefix) with a new option that would let users 
>> who
>> log into one of the sites to be automatically logged into some or all 
>> of
>> the other companion sites.
>>
>> I'm envisioning this working by adjusting user_login() function in
>> user.module.  Once a login is successful, have the function send out
>> PHPSESSID cookies for the desired sites, each containing the same 
>> session
>> id.
>>
>> Your thoughts?
>
> I've been thinking about implementing this feature. But there is always
> this lack of time...
>
> Cheers,
> 	Gerhard

Allie Micka
pajunas interactive, inc.
http://www.pajunas.com/

scalable web hosting and open source solutions

More information about the drupal-devel mailing list