the only bit of information a browser could keep is cookies which are limited by domain.

A browser can also send get/post parameters, which is the usual way to keep session when cookies are disabled. Thus, if the service receives a token as a means for user authentication, each time it generates a link to another service it should add a token to it. For instance, http://other-foo.com would become http://other-foo.com?token=xxx.

On the other hand, sharing secret keys is obvious to be expected in any scenario in order for each "service provider" to be able to communicate (securely) with the "login server".

I would rather use a public key crypto scheme and share public keys rather than secret keys. This allows confidentiality during information exchange without requiring a previous confidential channel for key exchange and lets you keep each private key in a single location, thus reducing leakage risk.

if done locally, people could get "stalled" access
Would you really need real-time authorization changes? I would let services poll the authorization server every now and then (say half an hour) to check if any authorization has changed and in that case invalidate all sessions for no-more authorized clients. This would be totally transparent to the user and would not require much network traffic or impose delays in navigation, while still keep the system quickly responsive to authorization changes.

Cheers

Antonio Bellezza


The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket

In reply to Re: Re: Re: "Single Sign On" perl based solutions? by abell
in thread "Single Sign On" perl based solutions? by AltBlue

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.