multi domain use

I am working on tackling this... After looking at the available options for sharing sessions across domains, this seems like a good pattern:
http://www.theserverside.com/patterns/thread.tss?thread_id=31258

I am working on a custom version of the 'bakery' module. Depending on how much is changed, it will either turn into its own module, or maybe it can be included in future releases of Bakery.

Essentially, it will work as Bakery does, but will use a different cookie for every domain.

Lets say Domain1 is the master domain. Domain2 is a "vanity" domain, or in Bakery's case, a "slave" domain.

1. A user requests a protected page (or clicks Login) on domain2.
2. The user is redirected to domain1 to either get the current authentication cookie or create a new one. Included is a referer URL indicating the page on domain2 the user was trying to access.
3. domain1 gets its auth cookie (potentially authenticating the user first), and returns the data from the cookie to a special URL on domain2
4. The special URL on domain2 takes the cookie information and generates a new cookie with the same data, but using its own domain as the cookie domain.
5. The special URL then sets the new, valid cookie and redirects the user back to the page they were originally trying to access.

When the user logs out, the local cookie is deleted, and a request is then send to domain1 to log the user out so they have to re-sign in next time.

It seems simple, and it seems like it would work--but I'm not sure I have the time or resources available to code it. I am working on it now and will post updates as I figure it out.

I have decided the functionality I am looking for for cross-site single-sign-on goes a bit beyond Bakery.

I am starting a new module with two components: sso_server and sso_client.

I will make a new project on this site for it soon. Assistance will be greatly appreciated.

sso_server will be enabled on the "Master". It provides administrative options such as a security key, cookie lifetime, list of client domains, etc. sso_server also provides functions for accepting requests from clients and returning cookie data to clients.

sso_client will be enabled on all "Slave" servers (but not the master). It offers client configuration options such as the master server URL, master security key, etc. It overrides the core login, logout, and registration functions.

-When a user tries to log in on an SSO client, it first checks if a client cookie exists and uses that if so.
-If not, a request will be sent to the SSO server asking for cookie data.
-If none exists, the user will be redirected to a login page on the SSO server and then sent back to the SSO client
-The SSO client accepts the cookie data and generates its own cookie for its own $cookie_domain with the same data
- The user is then logged into the SSO server and client by virtue of matching cookies on their respective domains.

-When a user tries to log out on an SSO client, the logout request is sent to the SSO server.
- The SSO server cleans up its own cookie and redirects back to the client.
- The SSO client then deletes its own cookie, and the user is officially logged out of both the client and server.

User syncing will be handled, but I'm not sure yet if it will be part of the client/server setup, or a third module that's specifically designed for that functionality.

Let me know if you're interested in helping or if you think this functionality could better be served included in another, existing module. My email is ben.mcclure@gmail.com

is code of sso_server and sso_client already public?

subscribing

subscribing

This seems a lot more like OpenID than Bakery and I'm not sure we should try to solve it in Bakery.

Agree with Greggles in #6.

Marking this as won't fix for Bakery.