Home/ Questions/Q 8884455
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T21:03:50+00:00

I’d like to create a single sign on for multiple websites (sitea.com, siteb.com, sitec.com).

  • 0

I’d like to create a single sign on for multiple websites (sitea.com, siteb.com, sitec.com). All sites are with the same company. Any database is also with the same company/location. Some are asp.net web apps and some are forums. I’d like to try and abstract away the SSO so it is not tangled up with any one site. I’ve outlined my approach below:

  1. user signs into sitea.com, which authenticates user. A sessionid is created by sitea.com.
  2. a cookie is placed on the user’s machine with username and sessionid. The sessionid is inserted into the database centralAuthDB, which all sites have access to.
  3. user clicks a link in sitea.com that does SSO to siteb.com (forum).
  4. siteb.com retrieves username and sessionid from the cookie. siteb.com then checks these credentials against centralAuthDB.
  5. A match is made with centralAuthDB and the SSO is authenticated. However, the forum (siteb.com) also has its own database of users. The username is checked in this database as well and now the user is seamlessly logged into the forum.

Is the above secure and practical?

Should credentials be send to centralAuthDB via webservice?

Will the cookie need some generic name? Then the values for username and sessionid are placed in this cookie?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    With any SSO, you’re going to need a service that takes a credential and generates a secure authentication token. The token must be encrypted so that it cannot be forged; only the authenticating service would be able to decrypt it to check for validity. Then, that token can be passed around to whatever you wish–in a query string, most likely. Cookies are ruled out because they are inaccessible across host names.

    As mentioned in the comments on your question, it’s wise to investigate pre-existing solutions to this problem. Way smarter guys than you or I have spent thousands of man-hours hashing out all the problems with such systems.

    My own personal choice would be OAuth as it’s the implementation I’m most familiar with. You might also want to check out how Facebook does authentication for ideas on what, exactly, the token could contain.

    • 0