SSO, security, signing in and methods (PHP)

General PHP Help
#1

Hello!

I am trying to figure out a secure but simple way for a single sign on.
Master site will be the main login site. Slave site will be the other website / domain.

Would it be secure if there was a login form on the slave site, when the user accesses it, the slave login form will be on a SSL connection. Once the user submits the login form on the slave site login script runs a file_get_contents to the master site (which is also on SSL), eg(https://mastersite.com/api/auth/?secret_key=[super_secret_key]&user=[username]&pass=[password]) and the master site returns a JSON result with their username. If the result is true the slave site starts the session.

I also have in mind that when the user clicks a login button on the slave site it redirects them to the master site, if they are logged in to the master site it will redirect them back to the slave site with JSON details. I’m not sure if I am explaining myself correctly here; have you ever used the login as steam on a website? How it works is basically a user clicks a button on the site and it redirects him or her to the steam api login, once they click login steam redirects them back to the website with some details such as their steam id. How would you go about doing this?

Thanks.

#2

I strongly encourage running your entire site behind TLS (aka “new SSL”). Today you can get proper certificates for free, so people (yes you non OP as well) - please use them. They are not only for securing submitted data, they are useful for a lot of stuff! Like actually validating to the user that the site he’s on and the info he’s getting is actually from who he expect it’s from. I can’t be the only one who find it cringe-worthy that a lot of downloads today are still served without TLS/SSL, without that - how can you possibly trust a (sometimes) huge installer that requires administrative access to your machine…? (???)

You should not pass super secret stuff (as the users password) via GET params (in the URL) - one reason is that the URLs are usually stored and harvested by a lot of logging stuff.

Using a JWT token (secret key) you can authenticate a token between any number of sites. You can store whatever you like in the token (user id, email, etc) so you can implement pretty much whichever method of fetching the authenticated user on different sites if need be.

#3

Hello, thank you for the reply. Thank you for the information, it is very useful.

Thank you.

Sponsor our Newsletter | Privacy Policy | Terms of Service