This article to share to everyone is about how to use PHP to achieve single-sign-on method analysis, the content is very reference value, hoping to help the need for small partners.
Explanation of single Sign-on
Single Sign-on, or SSO, is one of the most popular solutions for enterprise business integration at the moment. The definition of SSO is that in multiple application systems, users can access all trusted applications with only one login.
Method of implementation
Server Side
"Shared Cookie" is the way in which a session is shared, essentially a cookie is simply a medium that stores Session-id, and Session-id can be placed in the URL of each request. Session mechanism is a server session
Sso-token mode is because the way to share the session is not secure, so we no longer use Session-id as identity, we generate an additional identity, it is named Sso-token, which is unique in the entire server group, So all of the server groups can verify the entire token, and the token will represent the user's information.
Browser-side
Single Sign-on also has a very critical step, this step with the server side to verify the way of token, with the earliest "sharing session" or the current "token" way, identity to the browser side is faced with such a problem: The user login successfully received token ( or Session-id) How do I get the browser to store and share it under another domain? The same domain name is very simple, the token exists in a cookie, the path of the cookie is set to the top-level domain name, so that all subdomains can read tokens in the cookie. This is how the cookie is shared (this is called a shared cookie, which should be called a shared session). For example: Google Company, Google.com is his top-level domain name, mailbox service mail.google.com and map service map.google.com are its sub-domains. But what happens when you cross a domain? Google also has a domain name, youtube.com, to provide video services [2].
The mechanism of technology realization
When the user first accesses the application system, because it is not logged in, it will be
Boot to the authentication system to log in, according to user-provided login information, authentication system for identity verification, if through verification, should be returned to the user a certified credential--ticket; When the user accesses another application, the ticket will be taken as the credentials of their own authentication. The application system receives the request and sends the ticket to the authentication system for verification, checking the legality of the ticket. If verified, the user can access application System 2 and application 3 without having to log in again.
To implement SSO, you need the following key features:
All application systems share an identity authentication system.
-
A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user's login information with the user database, to authenticate the users, and after the successful authentication, the authentication system should generate a unified certification mark (ticket) and return it to the user. In addition, the certification system should be ticket to determine its effectiveness.
All applications can identify and extract ticket information
-
To enable SSO functionality so that users log on only once, the application must be able to recognize users who have already logged in. Application system should be able to identify and extract the ticket, through the communication with the authentication system, can automatically determine whether the current user has logged in, thus completing the single sign-on function.