Quote:
Originally posted by foe
LOL cookies is the one thing that specifically will NOT work, they are domain based.
|
Actually the only good way to do it IS with cookies. You can't use basic authentication, because the surfers browser will only send the username/crypted password to the realm (and thereby domain) that the surfer entered the password for and you can't modify that server side. You can also play around with authenticating by referring url, but you can't rely upon that being present, its easy to forge, and you loose the ability to track what a particular user is doing.
If you want authenticate/authorize across multiple domains, it needs to be done with a variable you have control over server side, such as cookies, you can do cross site authentication/authorize , although it is a real pain to set up and you need to have control of both servers and there are some compatibility issues.
Basically, you change your authentication/authorization from looking at the username and password to looking at a cookie (which only gets set on two conditions, if the user enters a valid username/password on a login form, the user clicks on a link leading to the protected area that contains a time-sensitive "ticket" to be let in). For example, we use a ticket that consists of the members username, a timestamp, and an md5(username, timestamp, time-based-secret). Of course we have to be very careful that the system clocks on our servers don't fall out of sync.
I don't know of any publically availiable tools to do this. We had to heavily modifiy
Apache::AuthCookie to allow one login seamless access to multiple domains.