Single sign-on (sso)

I’ve been doing a single sign-on lately.

Our single sign-on is probably the easiest.

[General principle] :

Assume that there are two application sites A and B, both of which require login, and one SSO dedicated to login.

When A user visits site A, site A checks whether the user has logged in. If so, site A returns to the corresponding page. If no, log in to SSO. After the login succeeds, go to site A and return to the corresponding page of the request.

The user then visits site B. Again, site B checks to see if the user is logged in. When you realize that you are already logged in, you return directly to the requested page.

This is single sign-on, one login, traffic everywhere.

【 Principle of detail 】

How do I know if a user is logged in?

When SSO logs in, the login information is recorded in the SSO COOKIE. When the application site A or B is returned, the login information is recorded in the COOKIE of A or B. Therefore, login information is available at SSO and the application site.

When a user requests a page, the application site checks its COOKIE first. If there is a COOKIE, it indicates that the user has logged in. If there is no COOKIE, the application site turns to SSO for login.

When switching to SSO, SSO also checks its COOKIE first to see if the user has logged in. If so, SSO is automatically forwarded to the application site to inform the application site that the user has logged in. If there is no COOKIE, the login interface will appear for the user to log in. SSO therefore has cookies regardless of which application site logs in first, enabling single sign-on.

Cookies on SSO should be permanent cookies or cookies with a long time, such as 2 weeks, 1 month, etc. Cookies on application sites are temporary cookies that disappear when the browser is closed.

“Logout”

The procedure is to clear the login COOKIE of the application site, and then go to SSO to clear the COOKIE of SSO.

Therefore, single sign-on is not the same as single sign-off. After site A logs out, the cookies of site A and SSO are cleared, but the cookies of site B remain and it does not know that it has logged out. It can continue to operate normally unless the browser is shut down.

It looks like this is a BUG. However, in the case of low security requirements, there will not be a big problem.

Afterword.

In fact, it is not difficult to implement single sign-on, if all single sign-on sites, the COOKIE Domain is pointing to a level 1 Domain (note that www.abc.com is level 2, abc.com is level 1). As follows:

cookie.Secure = false;

cookie.Domain = “.abc.com”;

So, when a child site logs out, it modifies the cookie; Other subsites also read this COOKIE and of course know that it has been logged out.

Related Posts

SQL-Mysql table structure operation

Chapter 5: Java Programmers Build Web Sites alone (Both static and dynamic)

Linux files and directories