[drupal-devel] login once for multiple sites

Moshe Weitzman weitzman at tejasa.com
Sun Apr 24 11:17:21 UTC 2005 

I implemented a system very similar to this in in sso.module. See  
http://cvs.drupal.org/viewcvs/drupal/contributions/modules/sso/Attic/ 
sso.module?rev=1.2&hideattic=0&view=log. It was an experiment of mine,  
and to my knowledge not yet tested on a pod of production sites. It is  
unmaintained, by now.

-moshe

On Apr 23, 2005, at 11:02 PM, Allie Micka wrote:

> This would be exceedingly useful for us as well.  But you don't want  
> to rely on PHPSESSID because (hopefully) the various sites do not have  
> access to the same session info.  Additionally, a site can't set a  
> cookie for another domain.  You can set a cookie that works on various  
> subdomains ( a.drupal.org, b.drupal.org, etc.) but that's nowhere near  
> flexible enough.
>
> One way to do this is to query a central site for logged-in status:
>
> - A user preference on each site includes a "log me into the network"  
> option.  This sets a persistent cookie on the user's machine that  
> represents some kind of universal id for them.
>
> - Upon successful authentication on a network site, the logged-in  
> status is reported to the central server for that universal id.
>
> - When a user attempts to authenticate, check for the presence of that  
> cookie.  If it exists, query the central server to see if that id has  
> been logged in somewhere else
>
> - During subsequent hits and/or login status changes, the central site  
> is notified of the users' status.
>
> notes:
>
> This has usability issues, which would have to be identified and  
> addressed.
>
> It sounds shockingly insecure, but can be made "good enough" through  
> the use of SSL, session cookies, secure hash and shared secrets among  
> the network sites.
>
> The persistent cookie is a definite problem for multi-user systems.   
> Off the top of my head, I don't know a way around it.
>
>>> I think it would be a good idea to provide administrators who use one
>>> Drupal installation for multiple sites and share users and sessions  
>>> across
>>> those sites (via $db_prefix) with a new option that would let users  
>>> who
>>> log into one of the sites to be automatically logged into some or  
>>> all of
>>> the other companion sites.
>>>
>>> I'm envisioning this working by adjusting user_login() function in
>>> user.module.  Once a login is successful, have the function send out
>>> PHPSESSID cookies for the desired sites, each containing the same  
>>> session
>>> id.
>>>
>>> Your thoughts?
>>
>> I've been thinking about implementing this feature. But there is  
>> always
>> this lack of time...
>>
>> Cheers,
>> 	Gerhard
>
> Allie Micka
> pajunas interactive, inc.
> http://www.pajunas.com/
>
> scalable web hosting and open source solutions
>

More information about the drupal-devel mailing list