Warning: Table './jdarx_drupal/sessions' is marked as crashed and should be repaired query: SELECT u.*, s.* FROM users u INNER JOIN sessions s ON u.uid = s.uid WHERE s.sid = 'aafaa27f09a6e8a5c161b32e501e300c' in /f2/jdarx/public/includes/database.mysql.inc on line 172

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 899

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 531

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 532

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 533

Warning: Cannot modify header information - headers already sent by (output started at /f2/jdarx/public/includes/database.mysql.inc:172) in /f2/jdarx/public/includes/bootstrap.inc on line 534
Single sign-on for HTTP Authentication
Published on wayland's Computer Stuff (http://computerstuff.jdarx.info)
Single sign-on for HTTP Authentication
By wayland
Created 2007-11-26 23:00

This discusses using a single sign-on for multiple domains with HTTP Authentication

Table of Contents

  1. The Problem [1]
  2. Solutions [2]
    1. Immediate solution: Multiple domains in HTTP Digest [3]
    2. Medium-term solution: Get Microsoft to change [4]
    3. Long-term solution: More RFC changes [5]

The Problem

The goal here is that an entire set of subdomains be authenticated with a single sign-on. This can be done in a session-based setting with cookies or URL rewriting. With HTTP Autentication, it may be a little more difficult.

Solutions

Immediate solution: Multiple domains in HTTP Digest

HTTP Digest authentication allows listing of domains that are to be included in the realm. This is better than nothing, but has two problems as a solution:

  1. It's not as scalable as it could be. If you had a blog for each user, eg. fred.blogs.example.com [6] and john.blogs.example.com, and had 5000 users, listing each one would be a problem, as HTTP Digest doesn't take wildcards like *.blogs.example.com
  2. HTTP Digest is not properly supported by Microsoft; their implementation is incompatible with the RFC, and with everyone else (including Apache, the major server provider on the 'Net, and with Firefox, the other main browser).

There are ways of working around this second problem if you're using Apache on the server side; see mod_auth_digest: Working with MS Internet Explorer [7].

Medium-term solution: Get Microsoft to change

The proper solution to the second part of the problem is to get Microsoft to change their browser. After you stop laughing at the idea.

Long-term solution: More RFC changes

The solution to the first problem (listed under "Immediate solution", above) would be to modify the HTTP standard to support Digest wildcards.

Source URL: http://computerstuff.jdarx.info/content/single-sign-http-authentication

Links:
[1] http://computerstuff.jdarx.info/content/single-sign-http-authentication#toc0
[2] http://computerstuff.jdarx.info/content/single-sign-http-authentication#toc1
[3] http://computerstuff.jdarx.info/content/single-sign-http-authentication#toc2
[4] http://computerstuff.jdarx.info/content/single-sign-http-authentication#toc3
[5] http://computerstuff.jdarx.info/content/single-sign-http-authentication#toc4
[6] http://fred.blogs.example.com
[7] http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html