Tuesday, March 26, 2002 08:49 PM
I just have an idea on how to implement a single sign on. But I'm not sure whether it will has any problem.
Assume the requirement is that when the user has logged in site A, he does not need to login site B anymore. And A can B can share a common database.
The scenario is :
1. User logged in A
2. A writes a the user ID, and a random key into DB.
3. A writes the user ID and the key in a cookie, and the cookie is made available to B.
4. When user goes to B, B checks that it has a user ID and key in the cookie. Then B checks whether the user ID and key exists in DB.
5. If the DB record exists, B allows the user login.
6. When the user logged out from either A or B, the DB record is removed.
Does anyone see any security flaws here?