Databases
StackOverflow2013
Postsdbo
POUsing OpenID to log into multiple domains: Is this plan feasable?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POUsing OpenID to log into multiple domains: Is this plan feasable?
    text
    copied!<p>For example:</p> <ul> <li>We're running a two community sites on two domains (call them <code>example.com</code> and <code>example.net</code>).</li> <li>We want to be able to expand that to more domains later.</li> <li>We want to allow multiple types of login (OpenID, Facebook, Twitter, standard username/password).</li> <li>We want someone who's logged into one site to automatically be logged into the other(s).</li> </ul> <p>In other words, it's a bit similar to the StackExchange network.</p> <p>In this case, would this plan work?</p> <ul> <li>Set up <code>example.com</code> and <code>example.net</code> (and any later additions) as OpenID relying parties, which accept OpenID login from <code>id.example.org</code> only.</li> <li>Set up <code>example.com</code> and <code>example.net</code> to do an OpenID reply-immediate request the first time you visit them, so that if you're logged into <code>id.example.org</code> you're immediately and automatically logged into the site you're visiting. They should set a cookie if you're not logged in, to save them doing this on every page request.</li> <li>Set up <code>id.example.org</code> as an OpenID provider and consumer. It should also consume Facebook and other identity providers, and allow standard username/password access. (Multiple login methods could be attached to one account.)</li> <li>On logout, simply change the authentication tokens in the database. The user will still have cookies, but they'll be meaningless. Thus can the user be signed out of all sites simultaneously. Multiple authentication tokens can be stored against one user at one time (and should be different for each site), so that the user can sign out in one browser but still be signed in in another. Signing out always signs out for all sites.</li> </ul> <p>The only problem I can see with the above is this:</p> <ul> <li>Someone visits <code>example.com</code>. A "not-logged-in" cookie is set.</li> <li>Zie then goes onto <code>example.net</code>. Ditto.</li> <li>Zie then signs in, and continues browsing on <code>example.net</code>.</li> <li>Zie then goes back to <code>example.com</code> and, because of the "not-logged-in" cookie, is not checked against <code>id.example.org</code> and is therefore not logged in.</li> <li>However, as soon as zie clicks the "log in" button, zie is logged in.</li> </ul> <p>I don't think this is a major problem.</p> <p>On the whole, I think it's a pretty good system. I'd just like to see it reviewed. Are there any problems I haven't foreseen? Would it be buggy or slow? StackExchange uses a very different method. I assume they have a good reason for that?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload