在2个网站上进行身份验证和登录

Question

I have 2 site: example.com and exampletwo.com

I want that when a user login on example.com then he is automatically authenticated also on exampletwo.com

How can I do that ? I use Django + Nginx on first website and Tornado framework + Tornado server on second website.

Thanks ;)

.

PS If you don't know this platforms ( Django or Tornado or Nginx ), I accept also a solution for a generic PHP+Apache platform and then I will do some research :)

Answer 1

I would have the code handling user registration on example.com immediately send an https request to exampletwo.com (which authenticates it based on certificates, of course) meaning "add this user with these credentials". This approach seems to be workable for any two web servers / frameworks / languages as long as they're able to send and receive HTTPS requests and authenticate certificates.

If you can't authenticate certificates, you could send the "add this user" message encrypted (as long as the two sites can share a secret to use for the encryption). This may be vulnerable to replay attacks, but if you make a timestamp part of the "add this user" message, you can highly restrict the time window of vulnerability for the replay attacks, probably enough to make this approach viable.

If you can't safely share secrets between the two sites, not everything is lost: you can still use public key encription. The sender encrypts the "add this user message" (including the timestamp of course) with its own private key, then with the receiver's public key; the receiver decrypts what it receives with its own private key, then with the sender's public key. A bit messy and perhaps a bit slow, but under such difficult constraints it's surprising that it can still be done at all;-).

Answer 2

Assuming both the websites can access a single shared database this can be done with both the webpages accessing a table and checking whether a user has logged in or not. I am not familiar with Djano or Tornado, but if the above solution is dubious, you may wish to expose a Web Method (Web Services) of one website and then use (call) the web method from the other. Cookies are a no brainer as they are site dependent. And another approach is tracking the user through the IP, but dynamic IP's can pose a great problem and may be used to breach the security.

Answer 3

The problem is that one site cannot set cookies for another. Even if your login code on example.com were to do a server-to-server request to tell exampletwo.com that the user's validated, there's no way to set a cookie to carry this message over when the user actually visits exampletwo.com.

Client certificates are way around this, but if this dual-auth system is for the general public, not a particularly good one. Most people will see some weird request ('Do you want to add this cert?') pop up and run off to the hills screaming.

The workaround is do have example.com spit out SOMETHING that'll cause the user to load something from exampletwo.com. An image, a chunk of javascript, etc... and put an encrypted token in the request ( <img src="http://exampletwo.com/login.php?remoteauth=ENCRYPTEDTOKEN"> ). Then exampletwo can decrypt the token, and if its contents are ok, and send out the image (or whatever you're transferring) with the appropriate cookie set.