I have a java web application running in tomcat and another php application running in lampp. I need to use single sign on between these two applications.
What is the best method to do it ? 1. To share the session between the two servers. If so how to do it. 2. To use cookies to share data between the web servers. In this case I need to encrypt and decrypt cookies. If so what is the best method to use encryption and decryption logic which is compatible with both php and java applications.
分享 Where a several methods of doing what you want:
As sessions in PHP are stored in some temporary dir (configured by session.save_path option in php.ini), it's possible to use this files as sessions in your java application, but you'll have to make Java webApp know how to read this files, and save data back to it. The problem, that could happen is a blocking of this file. Every php process blocks session file while it is running, so no other program could read it while php is working. So, if you have high load - this problem would degrade performance of your web apps.
In php you can write your own functions to save and load session data (http://www.php.net/manual/en/session.customhandler.php), where are a lot of php session handlers already written by others, and could be find in the Internet. This handler could use any storage to put and get sessions from. For example: mysql database, mongodb, even memcache (not recommended, because of non-persistence). You can use this way and store sessions in some data storage better then default file storage, and use it both from php and java. This is the best solution.
And the last variant - save data into cookie. Of course, you can use some powerful crypting method which uses closed keys to encrypt and decrypt data, and store this data in cookie. But, the bad news is that your users would have a lot examples of your encrypted information, and, with some effort, powerfull computer and knowledge on decryption, evil hackers could get your sensitive data, that usually stored in session without afraid of loosing it. For example, you can place login, password and credit card number of logined user in it's session for fast access. You can say, that "first let them try to sneak a cookie from another user", but it's already a security hole, and next step is not so important.
分享
