We have two applications on the same domain and server. They are entirely separate and have separate login pages. We need to make it so that if you're signed into the 'master' application, you can access the other app without having to log into it again.
My preferred solution would be to generate a hash on either side and post info across from one to the other, checking if they match and setting the sign on state of the second app if everything is OK. (We dont really need a super strength SSO as its not cross domain - its more for convenience than security).
I'm being asked however, to create an intermediary page which starts the session from app #1, takes the session variables, kills the session, starts the session from app #2, puts the needed variables in, checks them and sets the sign on state.
For some reason, i'm a bit uneasy about that - not sure it would work if its best practice to do this, does anyone have any alternative suggestions or reasons why any of the proposed solutions might or might not work?
My preferred solution would be to generate a hash on either side and post info across from one to the other, checking if they match and setting the sign on state of the second app if everything is OK. (We dont really need a super strength SSO as its not cross domain - its more for convenience than security).
I'm being asked however, to create an intermediary page which starts the session from app #1, takes the session variables, kills the session, starts the session from app #2, puts the needed variables in, checks them and sets the sign on state.
For some reason, i'm a bit uneasy about that - not sure it would work if its best practice to do this, does anyone have any alternative suggestions or reasons why any of the proposed solutions might or might not work?