We are developing a single ASP.NET website that is hosted on multiple domains:
- website-a.com
- website-b.com
Both websites allow users to login. We are trying to enable it so that if a user logs into website-a.com, they are automatically logged into website-b.com. Obviously because of cross-domain security there can't be a single cookie set to serve both domains.
We were thinking of setting up a 3rd domain, auth.company.com, the website will run on that has a couple of simple endpoints:
- /authorise will be the endpoint that both website-a and website-b use to authenticate the user
- /client-id will be the endpoint that both websites will use to see if the user is already authenticated
When a user hits website-a.com an AJAX request will be made to auth.company.com/client-id, if the user is authenticated then an identifier will be returned, website-a.com will set a cookie, ideally referencing the same ASP.NET Session as the other websites and refresh the page.
All websites will be running over HTTPS, and I was contemplating encrypting the client-id sent back from the authorisation server, but figured this may not be necessary since if a user has access to this information, they could just spoof the user's ASP.NET session cookie anyway.
The questions I have are: is this safe? is this sane? is there another/better way of doing this?
We ideally want to avoid introducing something as complex as OAuth2 or OpenID as the above mentioned functionality is the extent of what will be required.
