PHP cross domain Single Sign-on

I’ve done extensive research to no avail (and noticed that similar sitepoint threads on this topic died in the past too to no avail)

I’m looking for a chunk of PHP code that allows a user to sign into a single form which will authenticate them with multiple domains simultaneously.

Any help or direction would be greatly appreciated.

There is no magic chunk of PHP that can do that.

Perhaps Zend_OpenId

You need to keep in mind that almost all browsers (for obvious security reasons, XSS and the like) will only allow websites to set cookies for their own domain, they also only allow to read cookies for their own domain.

This means that your PHP installation on, is extremely unlikely to even note the presence of a cookie set on

logic’s reply sums this up quite nicely.

Although if all of the domains have access back to a central session manager (either DB or memcache based) then you can automate the process to a certain extent.

Tanus: not really, because session cookie is also domain-bound. The best approach to this problem would be OpenID. The worst would be to develop your own OpenID system. :slight_smile:

You can have one login server central for all your applications.

Then on users first entrance redirect to the login server.

If the user is already logged in redirect him back to his account.

If login is required redirect him to your account login page.

Hope this helps :wink:

I cannot AJAX login and remember login (keep signed in) with OpenID, any solution?

Don’t use an AJAX login? Really, why does the login have to use AJAX?

Yeah, I’ve been caught up too much with subdomains hosted on different boxes, for which you can set the cookie domain to be something like *…

Have you checked out CAS authentication?

If all your domains connect to the same database, you MIGHT be able to keep the user signed on with some sort of method that captures the IP address, browser version, operating system, etc. and then do lookups on that information on each site from that same central database and then restore the user login on the new domain.

That being said, it is still possible to have 2 users with the same IP address and the same browser/OS combination, so even that isn’t really a truly secure method. With the domain limitation on cookies, I’m not sure this is possible to do dynamically.

I suppose one possible option would be to append all the links to your other sites with some sort of query string variable that would restore their session information if that is set when they first enter the site, but you’re still going to have some sort of central database to store all the session information that each site will have access to.