I am currently working on a project that consists of two domains (mydomain.com, mydomain.net). I would like to be able to make is so that users are only required to login once for both domains. Below is my plan for how I am going to try to carry this out. Please let me know if there is something obvious that I am overlooking or if you can see a what that it could be exploited or a possible security flaw...
1. All logins will be handled by mydomain.com.
2. Session information is stored in a MySQL database.
3. If the login is successful, a background request will be made (prob using an img tag) to:
4. Using the key value from the URL the request variable the script will find the correct session and set the session id on mydomain.net
1. I choose to use the url variable key which will more than likely be a hash of the session id or maybe encrypted using the ip address of the visitor... I felt this was safer than passing the actual php session id... is there any validity to that? or did I really just complicate the process? I figured it was better than passing the session id?
2. By doing this, will each request from either site (.com or .net) reset the last accessed time for the session? For example, say I login at 1:00pm and my session lasts 20 mins... if I am only using mydomain.net after the login, if I go back to mydomain.com will it see me as idle and make me log back in?
All comments, suggestions, and alternatives are greatly appreciated. I am somewhat new to this and want to make sure that my implementation is both transparent and also secure. Thanks!