Sina SSO login process analysis

Recently studied the login process of Sina CAS and found that in fact, Sina's sso implements yale-CAS and adds a little bit of new things. The basic authentication process interaction process remains unchanged. Its originality is the implementation of Ajax single sign-in, which is quite awesome. The implementation principle is iframe+javaScript callback function.

1. Junior SSO

Basic SSO is to realize unified login under the same top-level domain name by planting the cookie of the top-level domain name. For example:

Single sign-on address: sso.xxx.com/login.jsp

Application 1: web1.xxx.com/login.jsp

Application 2: web2.xxx.com/login.jsp

Application 3 : web3.xxx.com/login.jsp

Login process:

Situation 1: (The user has never logged in)

1, The user accesses web1.xxx.com/login.jsp, and web1 redirects to sso.xxx. com/login.jsp

2, User input verification, successful. sso.xxx.com implants the tokenid of the .xxx.com domain cookie and redirects to web1.xxx.com/login.jsp. web1.xxx.com accesses the tokenid of the .xxx.com domain cookie to determine that it has been logged in, and the system logs in Finish.

Situation 2: (The user has already logged in) Log in directly.

Second, Sina SSO

Sina realizes unified login across domain names, which is essentially based on Cookie. If the user disables cookies, they will not be able to log in anyway. For example: The Sina SSO server is login.sina.com.cn/sso/login.php

, and the Weibo login address is weibo.com/login.php. Login across first-level domain names is achieved through callback functions and iframes.

Details of the authentication process: Here we only introduce users who have never logged in.

1, The user enters weibo.com/login.php

2, The user enters the user name. After the input is completed, when the focus of the user name input box is lost, the page number sends a request to the server login.sina.com.cn/sso/prelogin.php through ajax, and the parameter is user (the user name just entered). The service returns server time and nonce authentication, which are written into javascript variables through the callback function.

3. The user enters the password, clicks to log in, and the page POST request (note that it is an ajax request, not sent by login.php),

login.sina.com.cn/sso/login.php?client=ssologin.js (v1.3.12), the page initiated by the request is an invisible iframe page in weibo.com/login.php, and the parameters are the server time and nonce obtained in the second step, the user name and the encrypted password. Return to the planted cookie tgt under login.sina.com.cn. At the same time, modify the iframe address to weibo.com/ajaxlogin.php?ticket=XXXXXX. Note that ticket is very important. This is the user's login and service credentials.

4, iframe visits weibo.com/ajaxlogin.php?ticket=XXXXXX, the user logs in, and returns a cookie planted under .weibo.com to record the user's login information.

5. Visit weibo.com/login.php again through js. Because the cookie has been written and the login is successful, the server sends 302 and redirects to the user's home page. Weibo.com/userid .

6, At this point, the login process is completed.

Focus: Analysis of interaction process and password encryption algorithm.