I'm working on a system which will allow me to login to the same system via various domains. (www.example.com, www.mydomain.com, sub.domain.com etc)
The following threads form the basis of my research so far:
Single Sign On across multiple domains
Cross web domain login with .net membership
What I want to happen is that If I am logged in on the master domain and I visit a page on a client domain to be automatically logged in on the client.
Obviously If I am not logged in on the master, I will need to enter my username and password.
Walkthrough:
1. User logs in on master site
2. User navigates to client site
3. Client site re-directs to master site to see if User is logged in.
4. If User is logged in on master, record a RFC 4122 token ID and send this back to the client site.
5. Client site then looks up the token ID in the central database and logs this user in.
This might eventually end up running on more than once instance of PHP and Apache, so I can't just store:
token_id, php_session_id, created
Is there any problem with me storing and using this:
token_id, username, hashed_password, created
Which is deleted on use, or automatically after x seconds.