在几个网站的透明的用户会话(单点登录+单签收) [英] Transparent user session over several sites (single sign-on + single sign-off)
问题描述
我在不同领域的几个网站: example.com , example.org , mail.example.com
和 passport.example.org 。所有的网站都具有共同的外观和感觉,并
应该共享相同的用户群。
I have several sites in different domains: example.com, example.org, mail.example.com
and passport.example.org. All of the sites are having common look-and-feel and
should share the same user base.
在这种极端情况下我还是希望所有的网站的透明的(尽可能)
具有以下主要性能占有率用户会话:
And in such extreme case I still want all the sites to transparently (as much as possible) share user sessions with the following key properties:
-
单点登录即可。当
passport.example.org用户登录并访问
任何其他网站 - 他应被视为已登录
Single sign-on. When user signs on at
passport.example.organd visits any other site — he should be treated as logged in.
得到你好, $用户名问候现场报头和不同
导航菜单,列出的服务,他们有机会获得。如果他没有登录,而不是
问候的还有链接上签名,指向 passport.example.org/signon 。
Logged in users get "Hello, $username" greeting in site header and different
navigation menu, listing services they have access to. If he's not signed in, instead
of greeting there's a "Sign on" link, pointing to passport.example.org/signon.
信任域的列表是已知的,所以这是贯彻落实要么相当简单
使用OpenID或者一些homebrewn轻量级协议。当用户第一次打
现场,我重定向他特殊的身份验证终端在 passport.example.org ,
然后默默重定向他回去,身份信息(或未签署
匿名身份)包括在内。对于大多数浏览器,这是完全透明的。
很显然,我使用的随机数的值打的重定向循环。
The list of trusted domains is known, so this is fairly simple to implement either
with OpenID or with some homebrewn lightweight protocol. When user first hits the
site, I'm redirecting him to special authentication endpoint at passport.example.org,
which then silently redirects him back, with identity information (or "not signed on"
anonymous identity) included. For most browsers this is completely transparent.
Obviously, I'm using nonce values to fight redirection loops.
单点登录关闭。在任何网站的标题,当用户点击搁笔
接下来的时间,他访问任何站点 - 他应该被看作是没有签署
Single sign-off. When user clicks "sign off" in the header of any site the next time he visits any site — he should be seen as "not sign on".
OpenID的不是为此而设计的。我现在的想法(我已经有一个局部工作
实现)是一种将不是用户的身份,但全球会话令牌和共享
全球会话表中DB(global_session_token↔用户关系)。
OpenID was not designed for this. My current idea (I already have a partially-working implementation) is to send not user identity, but "global" session token and share global sessions table (global_session_token ↔ user relation) in DB.
机器人和cookie的用户支持。网站是有公共区域,应
是通过用户代理访问没有任何cookie支持。
Robots and cookieless-users support. Sites are having public areas, which should be accessible by user-agents without any cookie support.
由于这个原因,重定向我在(1)中提到成为一个问题,因为对于
每一个页面请求,我将最终抛出的用户代理要权威性端点和背部。
这不仅会混淆的机器人,但它会污染我的会议数据库
死的出生会非常快。我绝对不希望显示哎,
你没有启用Cookie,走开!的页面,那会是非常无礼的行为,并
令人失望的。虽然我需要支持cookie登录,我希望用户能够自由地阅读
什么网站是等等 - 没有任何限制
Because of this, redirection I've mentioned in (1) becomes a problem, because for every single page request, I'll end up throwing user-agent to auth endpoint and back. Not only this will confuse robots, but it will pollute my session database with dead-on-birth sessions very quickly. And I definitely don't want to display "hey, you don't have cookies enabled, go away!" page, that'd be extremely rude and disappointing. While I require cookie support to login, I want users to freely read what the sites are for and so on — without any restrictions.
和我明确的不的想要把URL中的会话ID除了一些透明
跨域重定向我已经提到。我相信这样做是一个安全问题
而只是一般一件坏事。
And I explicitly don't want to put session IDs in URLs except for some transparent cross-domain redirections I've mentioned. I believe doing such is a security problem and just generally a Bad Thing.
在这里,我几乎没了主意。
And here I'm almost out of ideas.
好吧,我知道这很难,但谷歌实际上做此以某种方式( google.com ,谷歌。的 的通用顶级域名批次的-, gmail.com 等),右?所以这应该是
可能的。
Okay, I know this is hard, but Google actually does this somehow with (google.com,
google.lot‑of‑gTLDs, gmail.com and so on), right? So this should be
possible.
我会为任一协议描述的想法感激(这会是最好的)或链接
以系统(无论是code阅读或只是住的网站观看和学习时)已经
成功地实施这样的事情。
I'd be grateful for either protocol description ideas (that'd be the best) or links to systems (either code to read or just live sites to watch and learn upon) already successfully implementing something like this.
概括起来:若干领域没有共同的根,共同的用户群,单点登录,单点登录了,无需cookies来浏览匿名
To sum it up: Several domains without common root, shared user base, single sign-on, single sign-off, no cookies required to browse anonymously.
所有站点都在同一个网络上(但休息在不同的服务器),并部分地
共享相同的PostgreSQL数据库(在同一数据库的不同方案休息)。
大多数网站都是使用Python编写的/ Django的,但他们中的一些使用PHP和Ruby on Rails。而我在想什么框架 - 与语言无关,我为指向任何实现感激。即使我不能够使用他们,如果我要得到的想法它是如何做有可能我就可以拿出实施类似的东西。
All of the sites are on the same network (but rest on different servers) and partially share the same PostgreSQL database (resting in the different schemes of the same database). Most of sites are written with Python/Django, but some of them are using PHP and Ruby on Rails. While I'm thinking of something framework- and language-agnostic, I'm grateful for pointing to any implementations. Even if I won't be able to use them, if I'll get the idea how it's done there maybe I'll be able to come up implementing something similar.
推荐答案
好吧,让我解释了一下,然后进一步。 (所有URL都是虚构的!)正如我所说的,游客去 http://www.yourwebpage.com 并表示他希望登录。他将被重定向到<一个href=\"http://your.loginpage.org?return=http://www.yourwebpage.com/Authenticated\">http://your.loginpage.org?return=http://www.yourwebpage.com/Authenticated在那里,他将必须提供自己的用户名和密码。
当他的帐户信息有效,他将返回到在登录URL提供的网页,但与该将被用作ID的附加参数。于是,他去<一个href=\"http://www.yourwebpage.com/Authenticated?ID=SharedSecret\">http://www.yourwebpage.com/Authenticated?ID=SharedSecret哪里SharedSecret将是一个临时ID,有效期为30秒或更少。
当你的认证页面被调用时,页面会接着调用的之间yourwebpage.com和loginpage.org共同寻找SharedSecret的帐户信息检索更永久ID的方法。这一永久ID存储在yourwebpage.com的Web会话不应该被显示给用户。
共享的方法可以是任何东西。如果两个服务器都在同一台机器上,他们可能只是都访问同一个数据库。否则,他们可能会通过Web服务的另一个服务器通信。这将是服务器到服务器通信从而如果用户是一个机器人或不具有支持cookie也没关系。这部分将不会被用户察觉。
你必须要处理的唯一的事情就是该用户的会话。通常情况下,用户将被发送的是存储在cookie中的会话ID,但它也可以是URL的一部分作为GET请求的一部分。它是更安全了一下,有一个POST请求里的会话ID,不过,通过添加一个隐藏的输入字段到表单。
幸运的是,一些Web开发语言都已经提供会话支持,所以你甚至不必担心维护会话和发送会话ID的。该技术很有趣,虽然。你需要知道,会议应该永远是暂时的,因为有一个风险,即会话ID的阻挠。
如果你要处理不同域上多个网站则需要先在一些服务器到服务器的通信工作。最简单的是,让他们共享同一个数据库,但它更好地构建Web服务解决这个数据库,对额外的保护。请确保该Web服务只从自己的域接受请求只是增加甚至有点更多的保护。
当你有服务器到服务器的连接,那么用户将能够在站点间只要你沿着一个会话ID传递到新的领域,用户将登录切换。如果用户是使用饼干,这是不太可能的会话丢失这将需要重新登录。如果没有Cookie,有一个机会,用户必须再次登录获取新的Cookie如果会话ID被浏览页面之间丢失。 (例如,参观者前往参观谷歌,然后回到你的网站。用一个cookie,会话可以从cookie中读取。如果没有一个cookie,因为谷歌的会话丢失将无法通过会话ID转发
请记住,传递会话ID的不同的域之间是一个安全隐患。会话ID可以被劫持,从而有可能为别人冒充您的访客。因此,会话ID的应该是短暂的,模糊的。但是,即使黑客获得访问会话ID,他仍然不会有完全访问帐户本身。他将无法拦截服务器到服务器的通信,所以他无法与您的用户信息访问数据库,除非他直接进入登录页面。
Well, let me explain a bit further then. (All URLs are fictional!) As I said, the visitor goes to http://www.yourwebpage.com and indicates he wants to log in. He is redirected to http://your.loginpage.org?return=http://www.yourwebpage.com/Authenticated where he will have to provide his username and password.
When his account information is valid, he will return to the page that was provided in the login URL, but with an additional parameter that will be used as ID. Thus, he goes to http://www.yourwebpage.com/Authenticated?ID=SharedSecret where SharedSecret would be a temporary ID, valid for 30 seconds or less.
When your authentication page gets called, the page would then call a method that's shared between yourwebpage.com and loginpage.org to look for the account information of SharedSecret to retrieve a more permanent ID. This permanent ID is stored in the web session of yourwebpage.com and should NEVER be shown to the user.
The shared method could be anything. If both servers are on the same machine, they could just both access the same database. Otherwise, they might communicate with another server through web services. This would be server-to-server communication thus it doesn't matter if the user is a robot or has no cookie support. This part won't be noticed by the user.
The only thing you'll have to deal with is the session for the user. Normally, users will be sent a session ID that's stored in a cookie but it can also be part of the URL as part of a GET request. It's a bit more secure to have the session ID inside a POST request, though, by adding a hidden input field to your form.
Fortunately, several web development languages do already provide session support so you don't even have to worry about maintaining sessions and sending session ID's. The technique is interesting, though. And you need to be aware that sessions should always be temporary since there's a risk that session ID's get hijacked.
If you have to deal with multiple sites on different domains then you will need to work on some server-to-server communication first. The easiest would be by letting them share the same database but it's better to build a web service around this database, for additional protection. Make sure this web service only accepts requests from your own domains just to add even a bit more protection.
When you have server-to-server connections, then the user will be able to switch between your domains and as long as you're passing along a session ID to the new domain, the user will be logged in. If the user is using cookies, it's not very likely that the session gets lost which would require to log in again. Without cookies, there's a chance that the user will have to log in again to get a new cookie if the session ID gets lost between browsing pages. (For example, the visitor goes to visit Google and then goes back to your site. With a cookie, the session could be read from the cookie. Without a cookie the session is lost since Google won't pass the session ID forwards.
Do keep in mind that passing on session ID's between different domains is a security risk. The session ID can be hijacked, thus making it possible for someone else to impersonate your visitor. Therefore, session ID's should be short-lived and obfuscated. But even if a hacker gains access to a session ID, he still won't have full access to the account itself. He won't be able to intercept the server-to-server communication so he can't access the database with your user information, unless he goes to the login page directly.
这篇关于在几个网站的透明的用户会话(单点登录+单签收)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
