Same login cross multiple sites with transparent login proces

Question

The issue

Let's say that I have example.com, example.org and example.net.

All of these sites have a login which authenticates against the same base of user credentials.

I'm looking for at efficient way to only log in one place but still having the ability to be transparently logged in at the sites sites.

My current solution
...is having an iframe loading a resource on one of the sites (which I call main site) and if the user is logged in at the main site, refresh the page using a token and automagically log in the user through some JavaScript.

But this is really ineffecient and insecure for several reasons:

• User needs to log in at the main site
• User needs to refresh his page, using some clientside code (I'm aware that it might not be possible to avoid this).
• Using iframes is generally frowned upon and some even have browser plugins blocking these.

What I'm not looking for
I'm not interested in using some third party provider like Facebook, Google or an OpenID provider as this would require my users to register with third party websites to use my services.

Summing up to the specific question
Just like Google and even StackOverflow, the process between the sites authentication seems transparent I need something similar. What is the better option to my current solution?

Answer 1

I cannot share code ... but the solution I implemented involved a middle-man to handle the authentication for all my sites... which we called an SSO Broker....

Basically, all login requests go via the SSO Broker, it will determine if you have logged in already in sitea when trying to access siteb.

... The closet I can point you to for how we implemented it is: http://www.jasny.net/articles/simple-single-sign-on-for-php/

The other sso solutions all have their place too, but some are more complex than required.

The other simple approach is, simply passing some (secure-ish) token between each other.