How to create a Shared Login Service across Multiple Domains?

Question

I\'m interested in how to implement a shared cross-domain login system as well as best practices and security precautions to take. If you are familiar with 37Signals, you ar

Answer 1

Allowing users the option of using their facebook/yahoo/gmail/openID solution is a start, but that doesn't ulimately solve the solution of implementing or using one's own solution.

Having developed and managed an implementation in the past (we ultimately went toward SiteMinder, but I'm guessing you don't want the cost of a real product), I think that Eyal has a very good idea, but I'd add a little tweak to it.

At the time of authentication, generate a random code (could be a GUID value, but it is not static per user) that is stored in a transactional table along with the user id. This code has a maximum lifetime (you'll need to judge the safety value for that time period). This code would ideally be either hashed with the user name or encrypted and sent across as part of the URL.