Automatically login to current website if user is logged in to another website

Question

I have about 100 websites coded in ASP classic. Each website accepts orders and stores them in database. However, the payment of these orders must be made on another website

Answer 1

Pass-port based authentication is a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. For more information, see the following Microsoft Web site:

Passport Authentication Provider

Answer 2

If you can't implement a Single Sign-On at your infrastructure level, you should use Identity Federation which allows applications of different trusted party to share authentication through claims.

This can be done using Security Assertion Markup Language (SAML) directly or with products/standards like :

• SimpleSAMLphp
• Active Directory Federation Services

Also you can take a look at OAuth or OpenID which are more shared authentication schemes than SSO or identity federation.

Answer 3

What you asked is called single sign on (SSO) and can be implemented in few ways. There are many topics on this matter, example: What's your favorite cross domain cookie sharing approach? but they all vary due to individual requirements.

In your case you have different domains (so you cannot share cookies across them), you mix http and https (which might be a problem) and you have many applications so you won't make many changes.

So I would recommend to consider Robert's suggestion:

1. When user is authenticated for the first time (website A) you save a GUID in the database. Add a new table for sessions with columns for GUID, userid, ip and timestamp or save it as a part of orders data. Store GUID in the session object.
2. On the page that had a link to the payment site set it in the query string or as a hidden variable (if it's a form).
3. On the other domain (website B) check for the GUID and then look it up in the database. If it wasn't too old then authenticate the user, otherwise redirect him to a login page.

If you cannot change a link to the payment site then you could try to skip the step 2 and validate the user by his ip but this might be too risky.

Answer 4

From the calling site you could create a guid or some other randomly generated value. Store it on the users record (set to expire in a specified time period) in the database, encrypt it and pass it over SSL to the payment site where it is decrypted and then compared to the database. If they match then the user is logged in, if it doesn't match then they are asked to log in.

Another way although I'm not sure it can be done with different domain names is using sessions. Since they are all on the same machine it might be possible but I'm not 100% sure on that one.