Questions about using memcache for sso

Sso uses memcache to implement single-point login between multiple sites
Objectives:
Assume that the forum does not have the login function. after you log on to the forum from oa, click the jump link of bbs or directly access bbs in the address bar.

Simple architecture: an independent memcache server is used for session sharing. The two sites have their own user tables, but the data is related to each other, for example, the id of the oa user table is the same as that of the bbs user table;

My implementation:
After a user logs on from oa, the user generates the user ID-related cache data user_id => xxx in memcache, and then generates the cookie in the bbs system using the p3p protocol, this cookie is used to obtain user_id => xxx in memcache through a certain encryption algorithm. when a user redirects to or directly accesses bbs, the cookie data is read, after the backend decrypts the data, obtain the user data in the bbs based on the data in memcache, write the data to the session, and mark the successful login;

Question:
1. is it unnecessary for me to use memcache to share this part of user data?
2. what part of data is shared by session sharing in sso? How to operate
3. do I need to use memcache for session sharing in sso? Is it cross-origin?
4. can I implement sso without using cookies?

Reply to discussion (solution)

You can use only p3p to achieve single-point logon in the same domain.
Use memcache to store login user information, which is convenient for subsequent checks and has no direct relationship with sso.

You can use only p3p to achieve single-point logon in the same domain.
Use memcache to store login user information, which is convenient for subsequent checks and has no direct relationship with sso.

The moderator means that p3p can only write cookies in the same domain and cannot write cookies across domains?
However, I can test on the local machine to write cookies across domains. then I want other domains to write cookies under the domain to implement single-point login. what is the solution?
Are there any solutions for the moderator? (Cas or similar systems are not used)

I have tested that p3p can only write cookies in the same domain.
Let's see how you wrote it.

I have tested that p3p can only write cookies in the same domain.
Let's see how you wrote it.

This is probably the case:
Build www.a.com and www. B .com locally

The index. php code writes a cookie through p3p,
Call in www.a.com => index. php. after accessing www.a.com/index.php, the cookie will be generated in www. B .comdomain.

1. is it unnecessary for me to use memcached to share this part of user data?
Check whether you need to use this data across sites. if you do not need this data, it is redundant.

2. what part of data is shared by session sharing with memcached in sso? How to operate
Same as above. In SSO, you can consider storing global permission bits in memcached for quick permission verification. However, the integration permission is distributed across various systems, and this part of data is not required.
Memcached provides a cross-process, cross-system data transfer method for session sharing. P3P can only transmit data in small batches across domains, while memcached can even transmit images, and browsers, client programs and mobile apps.

3. do I need to use memcache for session sharing in sso? Is it cross-origin?
Cookies are generally used to pass tokens. tokens are generally a one-time data and must be passed as parameters when one system starts another system.
Cross-origin refers to data transmission between different domains in the browser. memcached is used as a server component and has nothing to do with it.
Token transfer is also required in the client program and is passed through parameters.

4. can I implement sso without using cookies?
More reliable with url parameters

4. can I implement sso without using cookies?
Url parameters are more reliable, but more server-side code is required.

4. can I implement sso without using cookies?
Url parameters are more reliable, but more server-side code is required.

If you want to directly access other sites is also logged on, you can only use cookies instead of passing parameters through URLs.

4. can I implement sso without using cookies?
Url parameters are more reliable, but more server-side code is required.

If you want to directly access other sites is also logged on, you can only use cookies instead of passing parameters through URLs. [/quo


It mainly depends on whether there is a server-side SSO interface. if you can use the token on the server side for login verification, the url parameter is the most convenient. If SSO such as taobao can only be used on the browser client, the url parameter method will not work.

If you implement SSO on your own, you will surely implement the url parameter transmission method. to protect the token, you can only use cookies when using it by a third party.

If you implement SSO on your own, you will surely implement the url parameter transmission method. to protect the token, you can only use cookies when using it by a third party.

In this way, you cannot directly access other sites through the address bar to display the login status.

If you implement SSO on your own, you will surely implement the url parameter transmission method. to protect the token, you can only use cookies when using it by a third party.

In this way, you cannot directly access other sites through the address bar to display the login status.

Yes. There are many restrictions on url methods, but they are highly reliable and can be run without javascript support.
The cookie method can directly judge the user status in the browser without accessing the server, which is helpful for reducing the pressure on the SSO server.