跨域登录 - 什么在数据库中存储？ [英] Cross domain login - what to store in the database?

问题描述

我正在使用一个系统，这将允许我通过各种域名登录到同一个系统。 （www.example.com，www.mydomain.com，sub.domain.com等）

以下话题构成我的研究的基础：

跨多个网域单点登录

使用.net成员身份跨网域登录

我想要发生的是，如果我在主域名上登录，并访问从属域

显然，如果我没有登录主服务器，我需要输入用户名和密码。

演练：

1.用户登录主站点

2.用户导航到从站点

3.从站站点重定向到主站点以查看用户是否登录。

4.如果用户在主站上登录，记录RFC 4122令牌ID，并将其发送回从站点。

5.然后，从站点在中央数据库中查找令牌ID并记录该用户。

这可能最终会在多个实例上运行的PHP和Apache，所以我不能只存储：

  token_id，php_session_id，created 
  
 
 
 
我存储和使用这个文件时有什么问题：
  token_id，username，hashed_pa​​ssword，created 
  
 
解决方案
基本思路是在你提到的链接中确定，但它也谈论会话管理太忘了关于在数据库中存储什么 - 所有您需要做的是在主机和客户机上启用会话。并在会话中存储身份验证用户名（主要是为了查看用户是否已验证）。
 
 
用户导航到客户站点
 
 
客户端站点重定向到主站点， in。
 
 
 
 
否 - 您只能从从属网站重新导向如果从站点确定用户尚未通过身份验证。
 
 
 
忘记RFC 4122  - 它只是一个聪明的方式来获取uuids在您称为会话标识符的帖子中使用。 PHP已经生成了非常好的值。
 
 
 
你需要将一些消息从主机传递给从机，从而提供用户ID和用户已经在URL中验证（您不能跨域传输Cookie，并且您无法在重定向中执行POST）。 
  $ redirect_to =这是一个明显的方式， 'http://slave.example.com/sso_lander.php?auth_token='
。 encrypt（$ some_random_alphanum_chars 
。'/'。$ user。'/'
。time（），$ shared_secret）; 
 header（Location：$ redirect_to，true，303）; 
  
然后在奴隶上：
  if（！（$ _ SESSION ['authenticated_user']）&& $ _GET ['auth_token']）{
 $ auth_token = explode（'/'，decrypt ['auth_token']，$ shared_secret））; 
 if（（abs（$ auth_token [2] -time（））< 3）{
 //如果生成后超过3秒，请勿使用
 $ _SESSION ['authenticated_user '] = $ auth_token [1]; 
} 
} 
  
上面只是为了说明 - 还有一个小窗口打开重播攻击和其他事情，应该整理 - 一个更好的解决方案是从服务器生成一个挑战，它存储在本地会话并复制到主机。包括在加密的回复中，但是这样的代码有点复杂。
 
 
 
 C。
 
I'm working on a system which will allow me to login to the same system via various domains. (www.example.com, www.mydomain.com, sub.domain.com etc)

The following threads form the basis of my research so far:

Single Sign On across multiple domains

Cross web domain login with .net membership

What I want to happen is that If I am logged in on the master domain and I visit a page on a slave domain to be automatically logged in on the slave.

Obviously If I am not logged in on the master, I will need to enter my username and password.

Walkthrough:

    1. User logs in on master site

    2. User navigates to slave site

    3. Slave site re-directs to master site to see if User is logged in.

    4. If User is logged in on master, record a RFC 4122 token ID and send this back to the slave site.

    5. Slave site then looks up the token ID in the central database and logs this user in.  

This might eventually end up running on more than once instance of PHP and Apache, so I can't just store:
token_id, php_session_id, created
Is there any problem with me storing and using this:
token_id, username, hashed_password, created
Which is deleted on use, or automatically after x seconds.
解决方案
The basic idea is OK in the link you refer to but its also talking about session management too - forget about what to store in the database - all you need to do is enable sessions on master and clients. And store the authenticated username in the session (primarily so you can see if the user has been authenticated).

  

  
User navigates to client site
  
Client site re-directs to master site to see if User is logged in.
  

No - you only redirect from the slave site (calling it a client gets confusing) if slave site determines that the user has not been authenticated.

Forget about RFC 4122 - its just a clever way to get uuids which are being used in the post you refer to as session identifiers. PHP already generates perfectly good values.

You need to pass some sort of message back from the master to the slave which provides the user id and the fact that the user has been authenticated in the URL (you can't transfer cookies across domains and you can't do a POST in a redirect). One obvious way of doing this would be to have shared secret on both master and slave, then....
$redirect_to='http://slave.example.com/sso_lander.php?auth_token=' 
       . encrypt($some_random_alphanum_chars 
         . '/' . $user . '/' 
         . time(), $shared_secret);
header("Location: $redirect_to", true, 303);
Then on the slave:
if (!($_SESSION['authenticated_user']) && $_GET['auth_token']) {
    $auth_token=explode('/',decrypt($_GET['auth_token'], $shared_secret));
    if ((abs($auth_token[2]-time())<3) {
          // if more than 3 seconds after generate - DO NOT USE
          $_SESSION['authenticated_user']=$auth_token[1];
    }
}
Note the above is for illustration only - there is still a small window open for replay attacks and other things which should be tidied up- a better solution is that the slave generates a challenge which it stored in the local session and copies to the master. The master includes this in the encrypted reply. But the code for this is a bit more complex.

C.

                        
这篇关于跨域登录 - 什么在数据库中存储？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！