JavaScript-How do I implement [cross-domain Single sign-on]?

Manage User Sites

• User account URL:http://accounts.com
• User Login URL:http://accounts.com/login
• Users and other places Web site:http://accounts.com/logout

App Site

• Application 1:http://app1.com
• Application 2:http://app2.com

Implementation Scenarios

1. Sign in to App 1, jump to http://accounts.com/login sign in
2. Login successful Jump back to application 1, the address will take a token, for example: http://app1.com/callback?token=xxxx to verify the login
3. After browsing the app 1, the user enters app 2 (the user may enter App2.com's address to access the app 2)
4. At this point, apply 2 by "some way" to determine whether to apply 1 before the login or not, to set the current user is logged in

The question is how to implement the 4th in the scenario?

What I'm thinking now is:

1. Synchronous login: Like Discuz, when you log in to an app to log in to another app, the downside is that it's best to wait a few seconds after the login to allow other apps to have enough time to write down the cookie, but I don't like the "Wait a few seconds" way
2. Use JSONP: Although know how to use JSONP cross-domain request, but it is difficult to implement, and the processing is not good there is a security problem

I wonder if you have any good ways???

-----------------------Gorgeous split-line---------------------------

It took some time in the afternoon to study the login methods of the two groups of websites separately:

1. Google.com and YouTube.com
2. Taobao.com and Etao.com

first, google.com and YouTube.com
situation One: not logged in, but viewed YouTube

1. Login google.com by https://accounts.google.com/ServiceLoginAuth verifying user name password
2. Check to see https://accounts.google.com/CheckCookie if there are any other apps, such as YouTube, and then jump to login again. https://accounts.youtube.com/accounts/SetSID
3. Finally jump back to Google.com's homepage

Scenario Two: Logged in to Google.com, but not viewed YouTube nor logged in

1. Since I signed in to Google.com, I entered my address directly from the address bar for my first visit to YouTube.
2. Access to the YouTube homepage shows that I need to log in, so click Login
3. Still jump to https://accounts.google.com/ServiceLoginAuth , but without any input directly jump back to Yutube home

ii. taobao.com and etao.com

1. Whether I have login taobao.com, I enter the etao.com home page, first check whether the cookie is logged in
2. Login etao.com Home Show login Status
3. Not logged in then jump to http://jump.taobao.com/jump?target=http%3A%2F%2Fwww.etao.com%2F%3Ftbpm%3Dt check if there is a login in taobao.com
4. Log in then jump back http://pass.etao.com/add?... in to log in after jumping in the page, login status is login
5. Not logged in will still jump back to the page, login status is not logged in

Now basically know how to do, or there are other better ways? Let's talk about it.

Reply content:

Manage User Sites

• User account URL:http://accounts.com
• User Login URL:http://accounts.com/login
• Users and other places Web site:http://accounts.com/logout

App Site

• Application 1:http://app1.com
• Application 2:http://app2.com

Implementation Scenarios

1. Sign in to App 1, jump to http://accounts.com/login sign in
2. Login successful Jump back to application 1, the address will take a token, for example: http://app1.com/callback?token=xxxx to verify the login
3. After browsing the app 1, the user enters app 2 (the user may enter App2.com's address to access the app 2)
4. At this point, apply 2 by "some way" to determine whether to apply 1 before the login or not, to set the current user is logged in

The question is how to implement the 4th in the scenario?

What I'm thinking now is:

1. Synchronous login: Like Discuz, when you log in to an app to log in to another app, the downside is that it's best to wait a few seconds after the login to allow other apps to have enough time to write down the cookie, but I don't like the "Wait a few seconds" way
2. Use JSONP: Although know how to use JSONP cross-domain request, but it is difficult to implement, and the processing is not good there is a security problem

I wonder if you have any good ways???

-----------------------Gorgeous split-line---------------------------

It took some time in the afternoon to study the login methods of the two groups of websites separately:

1. Google.com and YouTube.com
2. Taobao.com and Etao.com

first, google.com and YouTube.com
situation One: not logged in, but viewed YouTube

1. Login google.com by https://accounts.google.com/ServiceLoginAuth verifying user name password
2. Check to see https://accounts.google.com/CheckCookie if there are any other apps, such as YouTube, and then jump to login again. https://accounts.youtube.com/accounts/SetSID
3. Finally jump back to Google.com's homepage

Scenario Two: Logged in to Google.com, but not viewed YouTube nor logged in

1. Since I signed in to Google.com, I entered my address directly from the address bar for my first visit to YouTube.
2. Access to the YouTube homepage shows that I need to log in, so click Login
3. Still jump to https://accounts.google.com/ServiceLoginAuth , but without any input directly jump back to Yutube home

ii. taobao.com and etao.com

1. Whether I have login taobao.com, I enter the etao.com home page, first check whether the cookie is logged in
2. Login etao.com Home Show login Status
3. Not logged in then jump to http://jump.taobao.com/jump?target=http%3A%2F%2Fwww.etao.com%2F%3Ftbpm%3Dt check if there is a login in taobao.com
4. Log in then jump back http://pass.etao.com/add?... in to log in after jumping in the page, login status is login
5. Not logged in will still jump back to the page, login status is not logged in

Now basically know how to do, or there are other better ways? Let's talk about it.

Study and read the Sohu, and share them.

Unified login at Login.common.com?return=www.a.com (with address to return)
If validation succeeds return JS, add the returned JS in login.common.com/success, and display, and then jump back to the value in the return parameter.

So what is this JS content?
is to call the various sites by JS to generate their own cookies.

Currently Ucenter is also used in this way. Login center, you should have a similar list of applications such things.

Google's approach should be a more complete process, but there are some drawbacks, that is when I did not visit YouTube, Google, it did not give me automatic login to YouTube, but also need you to manually click Login. Although there is no need to enter a password what, but also some trouble.

In fact, you can make an improvement, that is, you hang a Google domain in YouTube js, of course, this JS is actually output through the dynamic script. In the script we first check the user is already logged in the Google domain, if already logged in, then the dynamic output let it in the YouTube domain also login JS.

While this benefit is only one step away, it is actually a matter of dispersing the first way you write a cookie in a problem to visit each sub-station to complete it, which makes it almost impossible for the user to feel.

I know there are three ways to do this:

1. Page nested JS cross-domain request, just like Hong Sing's ucenter products;
2. Let the page jump to different application domain name to solve the cross-domain problem;
3. Like Google, the user unsolicited request;

Here are the details:
1. App1, APP2, app3 hook up on UC, the user requests App1 login, and the APP1 program validates the code by simultaneously requesting the UC to synchronize the login (below) and print to the page.

Note that uc.php needs P3P header.

Header (' p3p:cp= ' CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR "');

2. App1, APP2, APP3, user request App1 login, APP1 program in the validation pass with parameters let the browser jump to app2.com (in the Output page, add a section of JS, code similar to the following), and then jump to app3.com ... Cookie and then skip back to App1.com

The downside is-in the user's look, the page will be white screen for a while! Not suitable for multiple applications.

3. Google's approach, the downside is that users have the initiative to click the login button, can not be seamless synchronization login, the benefits are suitable for multiple applications;

哪一个好, 得看什么要求, 如果不需要做到无缝的同步登录的话, 肯定是使用 Google 的方案!

App2.com also with? Token=xxx not good, if it is from the app1.com link jump past

I have a less "symmetrical perfect" solution, when the app is more likely to be more troublesome, but also a way:

At the end of the app1.com callback page, add the script tag