Millions of domains – Single Sign-in

Alright, “millions of domains” is a bit of an exageration, hundreds is more accurate. 613 to be exact. That’s how many domains one project I’ve been working on has. What makes this situation a little stranger is that all these domains point to the same hosting account. I’ll give a bit more information about the project in a bit.

There is one feature of this project which required a bit of extra thinking and that was having a single-sign-on from any of the domains. The feature would need to allow a user to login from one of the 600 domains and still be logged in if they accessed the site from another. The problem doesn’t get complicated until you add in that the idea was to not have the address in the address bar be a single site but stay at the domain the user typed in and that frame-based “masking” was out due to IE6 SP2 (might have been IE7) by default, blocks third-party cookies – which is what the login cookies would have been if using frame-based “masking”.

My solution to the problem probably isn’t the most elegant but it does the job for now.

When a user enters one of the domains, if there isn’t an authentication cookie in their browser for that domain, a redirect is performed. The user is sent briefly to a central domain which checks if the user is logged in on the central domain and if they are, send back the session_id in the URL. Now, because all these domains ultimately lead to one hosting account on a single server, the session_id sent back works perfectly and allows them to log in. At this point, the system also attaches a cookie to the current domain in case they come back to this one, another redirect won’t be required.

When a user goes to one of the domains but isn’t logged in, they are of course briefly sent to the central domain which comes back saying they aren’t logged in there either and the login page is shown. One filled in the login form is posted back to the central domain which authenicates the details and redirects the user back to the domain they typed in, along with the new session_id. This now means the authentication cookie is set on the central domain and it will now be set on the domain they typed in.

This entry was posted on Monday, July 30th, 2007 at 10:40 pmand is filed under Web Design. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Comments will be sent to the moderation queue.

Note: This post is over 3 years old. You may want to check later in this blog to see if there is new information relevant to your comment.