Cookie based SSO

Question

How can I implement a cookie based single sign on without a sso server? I would to share the user logged in across multiple applications using only a cookie on the browser.

In my mind it's working like this:

user logs in an application
the application verifies the credentials and then it setting up a cookie on the browser storing the username (that could be coded with a private key)
if the user opens another application, it searches the cookie and reads the username on the value (using the key for decode the string)

In this solution a user may see the browser cookie (of a another user) and take the string codified of the username. Then he could adding it on an own cookie (no good!).

There's some secure way to do this? With a timestamp based control or something like this?

Thanks in advance.

Bye

P.S. I know that my english isn't very well.. sorry for this!

score 20 · Accepted Answer · answered Nov 23 '09 at 16:24

20

This is impossible. Cookies are unique to each domain, and one domain cannot read another domain's cookies.

answered Nov 23 '09 at 16:24

Stefan Kendall

66,414
68
253
406

+1 Yep, cross-domain cookies are not allowed, and generally a bad idea anyway. – Chris Ballance Nov 23 '09 at 16:26
even if I set a different domain (if it's possible)? – frengo Nov 23 '09 at 16:26
1

You can't set a different domain. – Quentin Nov 23 '09 at 16:32
4

The browsers won't allow that. Think how dangerous that would be - a malicious site being able to set cookies for your online banking site... – JonoW Nov 23 '09 at 16:33
I didn't know this thing. Thanks for all comments. – frengo Nov 23 '09 at 16:37
30

cookies can be shared if domains have a master domain in common. `foo.example.com` and `bar.example.com` can share a `.example.com` cookie. – regilero Sep 10 '13 at 14:50

pedrofb · Answer 2 · 2016-05-23T14:45:21.927

10

I think the answer comes a little late, but maybe I can help someone.

You can have a cookie / localStorage in an intermediate domain connected to the home page using an iframe

cross domain sso

1) Login The login form in any of your domains deposits the identification token in a cookie on sso.domain.com by an event (postMessage) 2) Verification domain1 and domain2 include a iframe pointing to sso.domain.com, which reads the token and notifies the home page

To simplify development, we have released recently a cross domain SSO with JWT at https://github.com/Aralink/ssojwt

edited May 23 '16 at 14:45

answered May 23 '16 at 14:39

pedrofb

37,271
5
94
142

1

Accidentally, I found your answer on SO, also with good explanation using iframe solution. Upvote for both answers! https://stackoverflow.com/questions/37559827/how-youtube-gets-logged-in-to-gmail-account-without-getting-redirected/37565692#37565692 @pedrofb – David Apr 03 '20 at 10:28

score 8 · Answer 3 · answered Dec 12 '09 at 17:50

There is a simple solution without using an sso server, but not with 1 common cookie, as we know that cookie's are not shared between domains.

When the user authenticates on site-a.com, you set a cookie on site-a.com domain. Then on site-b.com, you link a dynamic javascript from site-a.com, generated by server side script (php, etc) who has access to the created cookie, and then copy the same cookie on site-b.com on the client-side using js. Now both sites have the same cookie, without the need of asking the user to re-login.

You may encrypt/encode the cookie value using a method that both site-a and site-b knows how to decode, so that site-b will be able to validate his cookie copy. Use a common shared secret that without it will be impossible to encode or decode.

You see that on the 1st page load of site-b.com, the cookie is not present, therefore if you see necessary, you may want to do a page reload after setting the cookie.

Interesting, but how does site-a know what session to return to site-b? Does it require data to be transferred between site-a to site-b via link? For example, href=site-b.com?sessid=fivghv6775ghffh ? — Martyn, Feb 09 '16 at 00:22
Session cookies should always have the HTTP-only attribute set preventing them from being read through JavaScript. This prevents the session being stolen by an XSS or JavaScript injection vulnerability. And with that attribute enabled, this solution will not work. — LordOfThePigs, Nov 24 '16 at 10:27
Storing session id cookie which can be accessible via javascript has huge security risks. Such cookies should be `http only` — ravi404, Oct 30 '18 at 12:52

score 3 · Answer 4 · answered Nov 23 '09 at 16:49

I have done something similar. There is a PHP application where the user logs in, the system contact a web service and then the service checks the user's credentials on the Active Directory. When the user is authenticated, his PHP session is stored in the DB. Another web application can read the PHP session from the cookies and uery a web service in the PHP applicaiton, the PHP application check the session in the database and return the user id. In this way I have a SSO using SOA.

Do not rely on the user id stored in the browser, is a security error, at least encrypt the id.

The best solution would be to put the login form and session storage in the same application, then this application can provide services to other applications.

And use HTTPS for the kind of infomation exchange.

The cookies can be read only if the belongs to the same domain, for instance:

intranet.example.com crm.example.com example.com/erp

score 2 · Answer 5 · answered Nov 23 '09 at 16:35

2

You can access cookies across subdomains, but I do not think using browser cookies is a great solution. You really don't need a "SSO server" to implement a single sign-on. It is fairly easy to come up with a payload that both applications recognize. I have seen custom SSO solutions that transmit the payload using XML over HTTPS.

answered Nov 23 '09 at 16:35

Neal Swearer

2,482
1
16
11

Could you explain better this solution? Thanks! – frengo Nov 23 '09 at 16:43
When issuing a cookie (and here you may need to get your hand dirty a little bit if you've been using the features of a web stack that writes cookies for you, without asking you too many questions), just enter ".yourdomian.com" for the domain instead of "yousubdomain.yourdomain.com" and any subdomain will be able to read it. – Josh Pearce Nov 23 '09 at 17:02

score 0 · Answer 6 · answered Nov 23 '09 at 16:44

Here is a solution (which will hopefully get heavily scrutinized by security gurus on here):

Have each domain store user data in a similar cookie, and when a user want to jump from one domain to another without authenticating themselves on the new domain, provide a "jumplink" with an encrypted token in the query string. The new domain would decrypt the cookie, and figure out who the user is, then issue them a new cookie for that domain. You would want the "jumplink" to have a very short expiration date, so I would not generate them right into the page, but generate links to a "jumplink" generator and re-director.

This might not be necessary, but the receiving page for the "jumplink" could make a web service call back to the originating domain, to verify the authenticity of the encrypted token and the whether it's expired.

I think this solution would be susceptible to man-in-the-middle attacks (not sure if it would be more so than other auth mechanisms which are currently popular), but you could incorporate a client MAC address and IP address into the encrypted token for extra security.

In this case the user must click on a special link to jump in an other site, right? I don't want it.. Thanks — frengo, Nov 23 '09 at 17:06
That's is correct, however it's nearly the only way to achieve cross-domain authentication. — Josh Pearce, Nov 23 '09 at 17:26

Cookie based SSO

6 Answers6