Contents
Customers who wish to continue offering an SSO capability for their websites will need to move to a solution that relies on sending a user to a centralized login page for authentication which can then track a session with a 1st party cookie.
the application verifies the credentials and then it setting up a cookie on the browser storing the username (that could be coded with a private key) if the user opens another application, it searches the cookie and reads the username on the value (using the key for decode the string)
What is an SSO cookie?
A ticket-granting cookie is an HTTP cookie set by CAS upon the establishment of a single sign-on session. This cookie maintains login state for the client, and while it is valid, the client can present it to CAS in lieu of primary credentials. The final cookie value is then encrypted and signed. …
How do I enable single sign on cookies?
In your web browser, locate the settings for cookies. Locate the setting to allow cookies for a specific website. Save your browser settings.
How do you authenticate SSO?
How does SSO work?
- A user browses to the application or website they want access to, aka, the Service Provider.
- The Service Provider sends a token that contains some information about the user, like their email address, to the SSO system, aka, the Identity Provider, as part of a request to authenticate the user.
You can access cookies across subdomains, but I do not think using browser cookies is a great solution. You really don’t need a “SSO server” to implement a single sign-on. It is fairly easy to come up with a payload that both applications recognize.
How to use SSO with cookies in PHP?
Another web application can read the PHP session from the cookies and uery a web service in the PHP applicaiton, the PHP application check the session in the database and return the user id. In this way I have a SSO using SOA. Do not rely on the user id stored in the browser, is a security error, at least encrypt the id.
How to encrypt a cookie in SSO stack?
You may encrypt/encode the cookie value using a method that both site-a and site-b knows how to decode, so that site-b will be able to validate his cookie copy. Use a common shared secret that without it will be impossible to encode or decode.
Do you rely on user ID for SSO?
In this way I have a SSO using SOA. Do not rely on the user id stored in the browser, is a security error, at least encrypt the id. The best solution would be to put the login form and session storage in the same application, then this application can provide services to other applications.