Home  >  Article  >  Backend Development  >  Analysis of how to use PHP to implement single sign-on

Analysis of how to use PHP to implement single sign-on

不言
不言Original
2018-07-24 11:36:221763browse

The content shared with you in this article is an analysis of how to use PHP to implement single sign-on. The content is of great reference value and I hope it can help friends in need.

Explanation of single sign-on

Single Sign On (Single Sign On), referred to as SSO, is one of the more popular enterprise business integration solutions at present. The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems.

Implementation method

Server side

  • "Shared Cookie" is the way to share the session. In essence, the cookie just stores the session-id. media, session-id can also be placed in the URL of each request. The session mechanism is one server and one session

  • The SSO-Token method is because the method of sharing the session is not safe, so We no longer use session-id as an identity identifier. We generate another identifier and name it SSO-Token. This identifier is unique in the entire server group, so all server groups can verify the entire token. At the same time Getting the token means getting the user's information

Browser side

  • There is another very critical step for single sign-in. This step is the same as The method of token verification on the server side has nothing to do with it. Whether the earliest "shared session" method or the current "token" method is used, the identity identification will face such a problem on the browser side: the user successfully logs in and gets the token (or session- id), how to let the browser store and share it under other domain names? The same domain name is very simple. Store the token in the cookie and set the cookie path to the top-level domain name so that all subdomains can read the token in the cookie. This is how to share cookies (this is called shared cookies, the one above should be called shared session). For example: Google, google.com is its top-level domain name, mail.google.com for email services and map.google.com for map services are both its subdomains. But what should we do when going cross-domain? Google also has a domain name, youtube.com, which provides video services[2].

Mechanism implemented by technology

When the user accesses the application system for the first time, because he has not logged in yet, he will be
guided to the authentication system to log in. ;According to the login information provided by the user, the authentication system performs identity verification. If it passes the verification, it should return an authentication credential--ticket; when the user accesses other applications, he will bring this ticket with him as After receiving the request, the application system will send the ticket to the authentication system for verification and check the validity of the ticket. If the verification is passed, the user can access application system 2 and application system 3 without logging in again.
To implement SSO, the following main functions are required:
All application systems share an identity authentication system.

  • The unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user's login information with the user information database and perform login authentication on the user; after successful authentication, the authentication system should generate a unified authentication mark (ticket) and return it to the user. In addition, the authentication system should also verify the ticket to determine its validity.
    All application systems can identify and extract ticket information

  • To implement the SSO function and allow users to log in only once, the application system must be able to identify users who have already logged in. The application system should be able to identify and extract tickets. Through communication with the authentication system, it can automatically determine whether the current user has logged in, thereby completing the single sign-on function.

Related recommendations:

Use php to implement simple background registration and login (with code)

The above is the detailed content of Analysis of how to use PHP to implement single sign-on. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn