One of the biggest barriers to entry on the web might be the “register -> check email -> login -> remember account info” paradigm. OpenID is doing cool stuff in this area, and I’d like to spend some time researching it more fully. At work we’re looking to implement a “single login” interface and I recently worked on a proof-of-concept for the several sites my company operates that would allow a user to log in to one site and be automatically logged in to the other sites.
How it works: iframes
Cookies cannot travel across domains, so one site can neither set nor access cookies for another domain. Since auth data is stored in a session which in turn is referenced by a sessionid (stored as a cookie), iframes can be used to pass data from domain to domain.
Or, in other words:
- if the user is not logged in, generate some iframes pointing at the other sites
- those other sites will check to see if they have a valid session, and if so will create a new iframe
the new iframe points at the first site, and hits a view that takes a session id and moves it over
session_id = request.GET.get(‘sessionid’)
session = Session.objects.get(pk=session_id)
cur_session = Session.objects.get(pk=request.COOKIES[‘sessionid’])
cur_session.session_data = session.session_data
A couple caveats:
- these sites share a database, and while many of our users are not aware that their username for one site works on the other, it does.
- since these sites are on the same db, transferring data from one session to another is trivial
I am simply transferring session data. Another implementation would be to set a cookie with the same sessionid and share the session across sites. In the end, I believe we will set up a dedicated authentication handler that, when a user logs in, will set cookies on all sites, effectively logging the user in everywhere. Then when the user logs out, clear cookies on all sites, thereby truly having the “single login – single logout” functionality while keeping distinct sessionids for each site.
So, the two possible implementations look like this:
1. Distinct sessions
A check will need to be performed on all other sites, where if a user is logged in there they can be logged in everywhere else. If an authenticated session is found, that data will be copied to the user’s session on the other site. This should occur on login, so as not to burden every anonymous request.
2. Shared sessions
Using shared sessions fits more in line with the true “single login, single logout” idea. Like the first method, all domains need to be checked for authenticated sessions, however instead of copying the session data, the anonymous session will be deleted and a new cookie set pointing to the authed session. When a user logs out of one site, they are logged out of the other. I am not sure, but I imagine there would be some data integrity concerns if two sites are dipping into the same session – any information to this end would be greatly appreciated.