Original article: http://dev2dev.bea.com.cn/techdoc/20060919883.html
With regard to SSO for multiple sites (such as passport), I have never wondered how users can safely tell their passport accounts and passwords to third-party sites.
Now I understand that the verification of the user account and password is performed at the source site, while the third-party site belongs to the target site, it can only accept the user account, then, send a request to the source site to verify that the user identity is valid (that is, whether the user has logged on ).
After a user logs on to the source site, the user's browser stores a cookie, that is, the browser certificate, which is a hash string. when a user logs on to the destination site, the destination site sends a request to the source site, which contains a browser credential. The destination site sends this request to verify that the browser credential is valid.
In general, browser creden are the bond between the source site and the target site, and are also a bargaining chip for both sides: For the source site, it must ensure the security of the user account, it cannot directly expose the user account and password to the target site, so the source site only provides a credential that can prove the user's identity within a short period of time to the target site; for the target site, to ensure site security, it cannot expose all operations on the site to the user. It must authenticate the user, therefore, it had to send the browser credential to the source site to identify the user.