Trusted Shared Authentication

Andy Wardley abw at
Wed Jul 30 16:18:51 BST 2008

Jason Tang wrote:
> a requirement that a user that can authenticate on one app can click
> through to the other without the need to reauthenticate.

Are you using a authentication/session ID cookie, and are the apps running on
the same domain?

If the answers are "Yes" and "Yes" then can you share the cookie across the
two apps?

 > A shared session is not a route we'd like to go down.

You can share the authentication cookie/token without having to share a
session.  One simple approach is to have the cookie store the session ID
as per usual, but add "application_id" as part of a composite key in the
sessions table.  Thus, it is session_id + application_id that returns a
unique session.  The application_id is hard-coded per application (and you
can easily use the same application_id in different apps if ever you do
want to share a session between apps).

There are other approaches that give more flexibility/complexity involving
an additional authentication table but if you've only got sessions to worry
about, and you *don't* want them shared, then there's probably no call for it.

This kind of thing is usually known as an "authentication realm" so googling
for that might give you some more info.  But the basic principle is simple:
your user authenticates to a realm (rather than a specific app), which then
gives them access (either directly or via a roles/acl table) to various
applications running under that realm.


More information about the mailing list