1

For example I have 2 apps, one is in abc.com, and another one is in xyz.com.

Now what I want to do is, if one user logged in abc.com, then he will be also logged in xyz.com automatically. Means after he logged in abc.com, and just open xyz.com in a new tab of browser, he will be showed that he has already logged in.

It's same as msn.com and hotmail.com, if you logged in msn.com, and open hotmail.com, you can see you've already logged in.

I'm using CI, and for login information I used CI's session functions (which is cookie in fact), but seems cookies cannot be shared cross different domains.

I've tried to use CURL, but CURL cannot make xyz.com really make the cookies.

And I've also searched around Google, many people suggested to pass a session id, but the problem is, there's no link between abc.com and xyz.com, how can I pass the session? If I store the session id in database, then how can I identify which user should use this session id? By IP is not secure obviously :D

Please, help me!

bluish
  • 26,356
  • 27
  • 122
  • 180
JuLy
  • 483
  • 2
  • 5
  • 12
  • So what you're looking for is basically a Single Sign-on (or SSO in short) solution? Read up on OpenID (as used here on SO), it's tried and tested (and very convenient). – wimvds Jan 27 '11 at 09:00

2 Answers2

2

You can open an iframe on xyz.com that will connect to abc.com, then use ajax/js to forward some sort of token to xyz.com from the iframe by calling a js function from the iframe.

So it will look something like:

XYZ.com:

function authAbcUser(token) { 
    //During this function you will set a cookie for this user on XYZ.com
}
<iframe height="0" width="0" src="http://www.abc.com/auth.php?token"></iframe>

ABC.com/auth.php:

parent.authAbcUser(token);
Or Weinberger
  • 7,332
  • 23
  • 71
  • 116
  • hmmmmm, sry but how abt the security thing ? – JuLy Jan 27 '11 at 08:35
  • i think i've already got the way to make it secure, many thx again ! – JuLy Jan 27 '11 at 08:55
  • Check where the request originated from perhaps? It wouldn't be completely safe, but probably would for smaller applications. See the solutions and explanations given in this question which is basically a duplicate of this question: http://stackoverflow.com/questions/342378/cross-domain-login-how-to-login-a-user-automatically-when-transfered-from-one-d – Dwayne Charrington Jan 28 '11 at 05:46
0

Try to use this and make it work with CI

http://www.assembla.com/wiki/show/attachpass/Single_Sign_On_Process

BigSecret
  • 1