[thesite] Unified Login

[Joshua Olson]

Can anybody please bring us up to date on what was talked about for this
topic?

A couple of key components are necessary for this to work:

- A unified user database to authenticate against.
- A way to set cookies for all domains that does not compromise security but
still let's an authenticated user be recognized by the system regardless of
the domain they logged in to.
- A way to detect if the person has logged out of one domain and ensure that
the cookies for all domains become invalid.

Is there a unified database that can be accessed for authentication?  If
not, the strategy gets a whole lot hairier.

A common strategy to handle the cookie is to set some sort of UID in the
cookie.  The UID is generated when a user logs in to the system and is
recorded with the account.  On the "thank you for logging in screen", pepper
the browser with an image from each domain in the realm (they can be single
pixel transparent images) that tote along a cookie from that domain
containing the UID.  When a person then visits a different domain in the
realm, the UID is matched with an account to let the person log in
automatically.  If/when a person logs out, just NULLify the UID in the
account and do whatever it takes to kill the session.

Now, since evolt all falls within the .evolt.org tld, a properly formatted
cookie could be valid for all domains in the realm (deo, feo, weo, teo, etc)
and sent with every page request regardless of the domain.  If this works,
then you do not need the peppering of images to get the cookies to the
client's machine.

Thoughts?  Suggestions?

-joshua