How is PHP single sign-on implemented?

Single Sign On (Single Sign On), referred to as SSO, is one of the more popular enterprise business integration solutions at present. The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems.

Recommended reading:php server

Method to implement single sign-on

server side

"Shared Cookie" is a way to share sessions. Essentially, cookies are just a medium for storing session-id. Session-id can also be placed in the URL of each request. The session mechanism is one server and one session

The SSO-Token method is because the method of sharing sessions is not safe, so we no longer use session-id as the identity identifier. We generate another identifier and name it SSO-Token. This identifier is used throughout the The server group is unique, so all server groups can verify the entire token. Getting the token at the same time means getting the user's information

Browser side

Single point There is a very critical step in logging in. This step has nothing to do with the way the token is verified on the server side. Whether using the earliest "shared session" method or the current "token" method, the identity identification will face such a problem on the browser side: After the user successfully logs in and gets the token (or session-id), how can the browser store and share it to other domain names?

The same domain name is very simple. Store the token in the cookie and set the cookie path to the top-level domain name so that all subdomains can read the token in the cookie. This is how to share cookies (this is called shared cookies, the one above should be called shared session).

Mechanism implemented by technology

When a user accesses the application system for the first time, because he has not yet logged in, he will be directed to the authentication system to log in; according to the user With the login information provided, the authentication system performs identity verification. If it passes the verification, an authentication credential-ticket should be returned to the user;

When the user accesses other applications, he or she will bring this ticket with him. , as a credential for its own authentication, after the application system receives the request, it will send the ticket to the authentication system for verification to check the validity of the ticket. If the verification is passed, the user can access application system 2 and application system 3 without logging in again.

To implement SSO, the following main functions are required:

All application systems share an identity authentication system.

A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user's login information with the user information database and perform login authentication on the user; after successful authentication, the authentication system should generate a unified authentication mark (ticket) and return it to the user. In addition, the authentication system should also verify the ticket to determine its validity.

All application systems can identify and extract ticket information.

To realize the SSO function and allow users to log in only once, the application system must be able to identify users who have already logged in. The application system should be able to identify and extract tickets. Through communication with the authentication system, it can automatically determine whether the current user has logged in, thereby completing the single sign-on function.

The above is the detailed content of How is PHP single sign-on implemented?. For more information, please follow other related articles on the PHP Chinese website!