The issue
Let's say that I have example.com, example.org and example.net.
All of these sites have a login which authenticates against the same base of user credentials.
I'm looking for at efficient way to only log in one place but still having the ability to be transparently logged in at the sites sites.
My current solution
...is having an iframe loading a resource on one of the sites (which I call main site) and if the user is logged in at the main site, refresh the page using a token and automagically log in the user through some JavaScript.
But this is really ineffecient and insecure for several reasons:
- User needs to log in at the main site
- User needs to refresh his page, using some clientside code (I'm aware that it might not be possible to avoid this).
- Using iframes is generally frowned upon and some even have browser plugins blocking these.
What I'm not looking for
I'm not interested in using some third party provider like Facebook, Google or an OpenID provider as this would require my users to register with third party websites to use my services.
Summing up to the specific question
Just like Google and even StackOverflow, the process between the sites authentication seems transparent I need something similar. What is the better option to my current solution?
