Autologin from a website to another

Question

I have two php applications: one hosted on example.com and one on example.org. Both applications are indispensable, means when a user uses application of example.com, it will use example.org too because a part of application is at example.com and another part is at example.org. But there is a problem. When user is using example.com and need a function of example.org, he goes to example.org, by clicking a button from example.com (and vice-versa) but he needs to login again (that's the problem).

How to auto-login user on example.org, when he is sent to example.org from example.com (usernames&passwords are the same for a user on both domain).

I want to be very secure.

Thank you so much!

Answer 1

You have to pass a session from one site to another site in URL, also pass the encrypted md5 password using salt and on the another site make the same mechanism for decryption and than match that encrypted password to the one that you receive from the URL.

Answer 2

There are some ways for doing that one way is sending user credentials(encrypted) to other site and by using an http module in destination try to login to the application but it is not Secure.

the other way and the secure one is using WIF(Windows Identity Foundation) and with that you will have SSO(Single Sign one and Single sing out) functionality. Using WIF SDK make the life easier because it generates the required configuration in both sides and authentication happens only in IdP(Identity Provider) side.

or use cookies

To make such a feature we have to use a cookie. You have to make sure that you DO NOT use this option when you’re working on a public computer (example: one from an Internet Cafe). This way, no one that will use the same computer will get access to your account(s) (for example: your Inbox from GMail). There’s also one important aspect: make sure that the saved cookies are not containing your password. Usually you should see a long encrypted string. Sites that do not respect this ‘rule’ shouldn’t be trusted.