Sina SSO Login Process Analysis

Recently studied the Sina CAS landing process, found that in fact, Sina SSO implementation of Yale-cas and add a little new things, the Basic authentication process of the interaction process is still unchanged. Its original point is to achieve the Ajax single-point landing, a comparison of cattle. The implementation principle is the iframe+ JavaScript callback function.

One, primary SSO

Primary SSO is to achieve unified landing under the same top-level domain name by planting cookies into the top-level domain. For example:

Single-point login address: sso.xxx.com/login.jsp

Application 1:web1.xxx.com/login.jsp

Application 2:web2.xxx.com/login.jsp

Application 3:web3.xxx.com/login.jsp

Login process:

Situation one: (User never landed)

1, user access web1.xxx.com/login.jsp, web1 redirect to sso.xxx.com/login.jsp

2, user input verification, success. sso.xxx.com into. xxx.com domain cookie Tokenid, redirected to web1.xxx.com/login.jsp, web1.xxx.com access. xxx.com domain cookie is determined by the Tokenid Login, System login complete.

Situation Two: (the user already landed) directly landed.

Two, Sina SSO

Sina realizes the unified landing of cross-domain names, and is also based on cookies. If the user disables cookies, they will not be able to log in anyway. For example: Sina SSO server is login.sina.com.cn/sso/login.php

, Weibo landing address is weibo.com/login.php. The use of callback functions and IFRAME to achieve a cross-level domain name landing.

Certification process specific process: here only to introduce the user has never landed.

1, the user enters weibo.com/login.php

2, the user enters the user name. After the input is complete, when the User name input box focus is lost, the page number sends the request via AJAX to the server login.sina.com.cn/sso/prelogin.php, the parameter is User (the username just entered). The service returns the server time and nonce authentication, which is written to the JavaScript variable by a callback function.

3, the user enters the password, clicks the login, the page POST request (note is the AJAX request, is not login.php sends),

Login.sina.com.cn/sso/login.php?client=ssologin.js (v1.3.12), the originating page of the request is an invisible iframe page in weibo.com/login.php, The parameter is the second step to get the server time and nonce, already the user name and the encrypted password. Returns the seed into the cookie TGT under login.sina.com.cn. At the same time modify the IFRAME address is weibo.com/ajaxlogin.php?ticket=xxxxxx, note ticket is very important, this is the user login and service credentials.

4, the IFRAME accesses the weibo.com/ajaxlogin.php?ticket=xxxxxx, the user logs in, returns the seed into the cookie under the. weibo.com, records the user login information.

5, through JS again access weibo.com/login.php, because the cookie has been written, the login succeeds, the server sends 302, redirects to the user Main page. Weibo.com/userid.

6, the landing process is complete.

Emphasis: Interactive process and cryptographic encryption algorithm analysis.

