If you can read this article in the future, cross-site login do not ask

Objective

Yesterday my friend asked me how to do two different sites between the one-time authentication, I said to do a server alone to do a login system, storage sessions, other sites only need to recognize the authentication through this server is not OK? Finally, it is said that using Memcache or Redis to store sessions is better.

Think back, I'm a little standing to talk about the pain of the waist. People just want to simply realize the effect of a cross-site login, you are hard to give the whole program to add the server. Inappropriate, for a start-up enterprise, it is tantamount to worse. When he was a child, he had the ambition of science and technology, and the server wasted money and electricity, the most important thing was to waste socialist resources, which we could not do. But, besides this way, I won't be the other. I was so upset that the cigarette that had just been lighted was snuffed out by the Lord. So this technical question I want to understand, at least the thinking theory is to pass, this does not study a little results, dare not arbitrary exclusive, so the author and friends to share the exchange.

Login Authentication

Here to emphasize a little, look at my blog post, i default you already have basic PHP knowledge

Since we are talking about login certifications, there are two points that must be made clear:

(1) What certifications do you take?

(2) What are the rules for certification?

What certification?

When it comes to login verification techniques, it's common practice to use cookies to verify. Speaking of which, the people eating melon must be surprised, what? Do you use cookies to make ticket (small ticket) to verify the legality of the user? Don't you know that cookies can be forged?

(*^__^*) hehe ..., you know. But the master can encrypt it so that you can forge a cookie without a "trace" to find it. Since this involves the encryption, the Lord will say a few more words, the encryption of the cookie you can choose 2 ways, symmetric and asymmetric encryption, if you use symmetric encryption, then the encryption and decryption of the key is the same, such as our common MD5 () is symmetric encryption. For an asymmetric encryption algorithm, the private key is used when encrypting, and the public key is used for decryption. As long as our encryption algorithms and private keys are not compromised, then this encryption and decryption system is safe. So, you don't have to worry too much about the security of cookies, and ignore the progress of the project.

What rules are used to certify

Today we want to achieve the effect is a number of sites at once login, here may have to eat melon masses think crooked, the Lord you are not to say Penguin certification authorized login Ah? I see the penguin can log in on many sites, if you think so, the Lord is really catching up for you, friend your technical point is OAuth, Open License agreement. The point we are going to talk about today is cross-site login.

Here about cross-site login, we analyze from its technical features, can be divided into two categories: cross-domain Single sign-on and fully cross-single-point domain login.

Single sign-on across subdomains

Across subdomains, where subdomains are sub-domains

The top-level domain is also known as the root domain, take our boolean education domain name.

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/8C/72/wKiom1hssciykZltAAB-k8evFwQ396.jpg-wh_500x0-wm_3 -wmp_4-s_954740176.jpg "title=" 2016-12-25_231506.jpg "alt=" Wkiom1hssciykzltaab-k8evfwq396.jpg-wh_50 "/>

Look at this picture, I do not know whether the elder sisters have learned to distinguish it?

If this time, you still do not know, then we find the law, the domain name has n points (.) is the N-level domain name, this is always the bar.

OK, let's go through the single sign-on across subdomains.

Here are two sites, a site domain name is dengpeng.itbool.com, we call it a D station, another station domain name is yanshiba.itbool.com, we call Y station. How to do D station login to verify the legality of the user, to obtain a small ticket cookie, access to the Y station does not require login authentication?

As we all know, cookies are domain-restricted and cannot be accessed across domains in the browser's cookie values. For example, after we login and verify in D station, we get a small ticket, the domain of the cookie is set to dengpeng.itbool.com, and when we go to visit the yanshiba.itbool.com site, the browser can't carry the small ticket from D station to request Y station. We always say that a cookie is a ticket, and it can't be used to identify the authenticity of the algorithm.

No! Use! Afraid!

Our cookie domain name parameter can be set to the top level domain, when we set the cookie domain to the D station and the Y station top-level domain itbool.com, any subdomain of itbool.com can read this small ticket. With a cookie ticket, the cookie value is decrypted using our decryption algorithm, which makes it easy to determine the user's login status.

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M00/8C/6F/wKioL1hsseijGdLsAACyAqD6mrk016.jpg-wh_500x0-wm_3 -wmp_4-s_949373494.jpg "title=" 2016-12-26_001447.jpg "alt=" Wkiol1hsseijgdlsaacyaqd6mrk016.jpg-wh_50 "/>

There are two ways to write the settings for the specific values of the top level domain (root domain) above.

> Law One: itbool.com

> Law II:. itbool.com

Complete single-point domain logon

Since it is completely cross-domain, it is a set of irrelevant domain names. Itbool.com and zixue.it are two different service sites for Boolean education, so I don't need two validations when I visit the zixue.it site after I implement the itbool.com site login? This master is puzzled, this is completely is two do not want to do domain name, set root domain also useless ah! This can be good.

Don't worry, let's take a look at this request authentication flowchart.

The core technology of this login authentication is to redirect back and forth for authentication.

650) this.width=650; "Src=" Http://s2.51cto.com/wyfs02/M02/8C/72/wKiom1hssimR1IPrAADLAprXL5c306.jpg-wh_500x0-wm_3 -wmp_4-s_42613375.jpg "title=" 2016-12-26_004949.jpg "alt=" Wkiom1hssimr1ipraadlaprxl5c306.jpg-wh_50 "/>

The rationale is as shown here, and I'll use the text to describe it here:

When you visit the Boolean site (itbool.com), see if you have Itbool_ticket, if you have and verify that the small ticket (Ticke) is correct, then the Boolean site that you have access to the site's related resources. If not, then will redirect to the self-study site (zixue.it), because we are single sign-on (as long as there is a site login to other sites will no longer need to login verification), so need to see whether the self-study site is logged in, if the login to the self-study site can get zixue_ticket, and verification through, Then this time will carry a string of encrypted tokens, may also be encrypted cookie value, redirected to the Boolean site, after the Boolean authentication, will give the browser a itbool_ticket cookie. If the self-study site is not logged in, it is redirected to the self-paced login page, after the login is completed, the token is redirected to the Boolean site after Boolean authentication, and then the browser writes Itbool_ticket.

Here I would like to reiterate:

Access to itbool.com and zixue.it, no matter who first who after the basic process is consistent.

Station group shared identity authentication system

Well, I'm done with these 2 kinds of single sign-on technology. As for the third, is independent of a user login system, made into a separate application, this application what do not do, specifically to do the user login certification business. This is something I have already described at the beginning of this article. The application of this technology is common in large-scale station group system, such as Penguin, Google.

In order to let everyone more intuitive understanding, authentication information Sharing system, I posted network pictures.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8C/72/wKiom1hssn6Tn5WsAAA7WyzV1GI954.gif "title=" 20140327084620_538.gif "alt=" Wkiom1hssn6tn5wsaaa7wyzv1gi954.gif "/>

After-school readings

If you want to read more about the application of single sign-on technology, I would like to recommend two popular products, one is Discuz Ucenter, the other is Phpcms Phpsso.

> Attached document Address:

Ucenter

[Http://faq.comsenz.com/library/UCenter/introduction/introduction_brief.htm] (http://faq.comsenz.com/library/UCenter/introduction/introduction_brief.htm)

Phpsso

[http://v9.help.phpcms.cn/html/phpsso/] (http://v9.help.phpcms.cn/html/phpsso/)

This article is from the "12447314" blog, please be sure to keep this source http://12457314.blog.51cto.com/12447314/1888990

If you can read this article in the future, cross-site login do not ask