Associated websites often share user information, so a visitor only has to register once and can use that username and password for all sites. A good example for this is Google. You can use you google account for GMail, Blogger, iGoogle, google code, etc. This is nice, but it would be even nicer if logging in for GMail would mean I’m also logged in for the other websites. For that you need to implement single sign-on (SSO).
There are many single sign-on applications and protocols. Most of these are fairly complex. Applications often come with full user management solutions. This makes them difficult to integrate. Most solutions also don’t work well with AJAX, because redirection is used to let the visitor log in at the SSO server.
I’ve written a simple single sign-on solution (400 lines of code), which works by linking sessions. This solutions works for normal websites as well as AJAX sites.
Without SSO
Let’s start with a website that doesn’t have SSO.
The client requests the index page. The page requires that the visitor is logged in. The server creates a new session and sends redirect to the login page. After the visitor has logged in, it displays the index page.
How it works
When using SSO, when can distinguish 3 parties:
- Client – This is the browser of the visitor
- Broker – The website which is visited
- Server – The place that holds the user information
The broker will talk to the server in name of the client. For that we want the broker to use the same session as the client. However the client won’t pass the session id which it has at the server, since it’s at another domain. Instead the broker will ask the client to pass a token to the server. The server uses the token, in combination with a secret word, to create a session key which is linked session of the client. The broker also know the token and the secret word and can therefore generate the same session key, which it uses to proxy login/logout commands and request info from the server.
First visit
-> Try it! (jan/jan1)<-
When you visit a broker website, it will check to see if a token cookie already exists. It it doesn’t it, the broker sends a redirect to the server, giving the command to attach sessions and specifying the broker identity, a random token and the originally requested URL. It saves the token in a cookie.
The server will generate a session key based on the broker identity, the secret word of the broker and the token and link this to the session of the client. The session key contains a checksum, so hackers can go out and use random session keys to grab session info. The server redirects the client back to the original URL. After this, the client can talk to the broker, the same way it does when not using SSO.
The client requests the index page at the broker. The page requires that the visitor is logged in. The broker generates the session key, using the token and the secret word, and request the user information at the server. The server responds to the broker that the visitor is not logged. The broker redirects the client to the login page.
The client logs in, sending the username and password to the broker. The broker sends the username and password to the server, again passing the session key. The server returns that login is successful to the broker. The broker redirects the client to the index page. For the index page, the broker will request the user information from the server.
Visiting another affiliate
-> Try it! <-
You visit another broker. It also checks for a token cookie. Since each broker is on their own domain, they have different cookies, so no token cookie will be found. The broker will redirect to the server attach to the user session.
The server attaches a session key generated for this broker, which differs from the one for the first broker. It attaches it to the user session. This is the same session the first broker used. The server will redirect back to the original URL.
The client requests the index page at the broker. The broker will request user information from the server. Since the visitor is already logged in, the server returns this information. The index page is shown to the visitor.
Using AJAX / Javascript
-> Try it! <-
SSO and AJAX / RIA applications often don’t go well together. With this type of application, you do not want to leave the page. The application is static and you get the data and do all actions through AJAX. Redirecting an AJAX call to a different website won’t because of cross-site scripting protection within the browser.
With this solution the client only needs to attach the session by providing the server with a token generated by the broker. That attach request doesn’t return any information. After attaching the client doesn’t talk at all to the server any more. Authentication can be done as normal.
The client check for the token cookie. It it doesn’t exists, he requests the attach URL from the broker. This attach url includes the broker name and the token, but not a original request URL. The client will open the received url in an <img> and wait until the image is loaded.
The server attaches the browser session key to the user session. When it’s done it outputs a PNG image. When this image is received by the client, it knows the server has connected the sessions and the broker can be used for authentication. The broker will work as a proxy, passing commands and requests to the sso server and return results to the client.
To conclude
By connecting sessions, you give the broker the power to act as the client. This method can only be used if you trust all brokers involved. The login information is send through the broker, which he can easily store if the broker has bad intentions.
Don’t be square, please share!
Demo
Broker ‘Alex’
Broker ‘Binck’
AJAX broker – created by Lukasz ‘Uzza’ Lipinski using Ajax.org PlatForm.
Play around, logging in and out at different brokers. Refresh the other after. Available users:
jan / jan1
peter / peter1
bart / bart1
henk / henk1
Download
Download the code @ github
2009-11-16: Updated the software with bugfixes mentioned in comments + alternative for using symlinks.
If I overlooked security issues with this SSO implementation, please leave a comment below.
This is a simple implementation of SSO. If you want enterprise stuff have a look at Novell Single Sign-On.
Hi,
I am looking forward to use it. Since it is not not using symlinks so I can easily use this on windows server as well. Very basic question: Do I need seperate server for broker?
Thanks,
Amit
Amit: The server needs to be on a different domain than the brokers. Using a different subdomain like ‘auth.example.com’ for the server and ‘www.example.com’ for the broker, will work as well. The server/brokers can be on a different fiscal server, but don’t need to be.
Arnold,
I see where it checks for $_SESSION['client_addr'] and destroys the session if it’s not set. But I don’t see where this is actually set.
My implementation hits this session_destroy() everytime. Where in the class were you intending to define the ‘client_addr’ session var?
Thanks.
$_SESSION['client_addr'] is set by the client as it creates the session on line 103.
If you are getting ‘Not attached’ each time, the client is either not connecting to the server or the symlink (or link file) isn’t created correctly. Have a look at the previous comments.
I have the client attaching correctly and the symlink is working. The problems seems to be that there is a sessionStart() at the beginning of the attach(). Here within the sessionStart() it never gets to the bottom where it sets the client_addr. It always matches on the session_name() and then fails on the client_addr.
If I just comment this session_destroy() segment out – I’m able to attach just fine.
Hi Arnold,
Firstly, I want to thank you about your SSO implementation.
When I deployed your source code in my local computer, it worked very well.
But It always gets 403 for bidden error when I deploy it to my hosting.
- SSO server: http://service.mio.vn/server/index.
- SSO client: http://mio.vn/customer/login
Any ideas?
Thank you,
I have just modified SSO implementation to make it do not use symlink function by saving data to a table in database.
Firstly, you can create a table named “links”:
Then, you should modify the server class (SingleSignOn_Server) to save data to database instead of saving it to a file.
Just modify 2 functions sessionStart and attach as follow:
protected function sessionStart() { if ($this->started) return; $this->started = true; // Broker session $matches = null; if (isset($_REQUEST[session_name()]) && preg_match('/^SSO-(\w*+)-(\w*+)-([a-z0-9]*+)$/', $_REQUEST[session_name()], $matches)) { $sid = $_REQUEST[session_name()]; // check the ID existed or not $result = $database->query("SELECT `* FROM `links` WHERE `code` = '" . $sid . "'") if (isset($result['link'])) { session_id($result['link']); session_start(); setcookie(session_name(), "", 1); } else { session_start(); } if (!isset($_SESSION['client_addr'])) { session_destroy(); $this->fail("Not attached"); } if ($this->generateSessionId($matches[1], $matches[2], $_SESSION['client_addr']) != $sid) { session_destroy(); $this->fail("Invalid session id"); } $this->broker = $matches[1]; return; } // User session session_start(); if (isset($_SESSION['client_addr']) && $_SESSION['client_addr'] != $_SERVER['REMOTE_ADDR']) session_regenerate_id(true); if (!isset($_SESSION['client_addr'])) $_SESSION['client_addr'] = $_SERVER['REMOTE_ADDR']; } public function attach() { $this->sessionStart(); if (empty($_REQUEST['broker'])) $this->fail("No broker specified"); if (empty($_REQUEST['token'])) $this->fail("No token specified"); if (empty($_REQUEST['checksum']) || $this->generateAttachChecksum($_REQUEST['broker'], $_REQUEST['token']) != $_REQUEST['checksum']) $this->fail("Invalid checksum"); $sid = $this->generateSessionId($_REQUEST['broker'], $_REQUEST['token']); $result = $database->query("SELECT `* FROM `links` WHERE `code` = '" . $sid . "'") if (!isset($result['link'])) { $attached = $database->query("INSERT INTO `links`(`code`, `link`) VALUES('" . $sid . "', '" . session_id() . "')"); if (!$attached) trigger_error("Failed to attach; Symlink wasn't created.", E_USER_ERROR); } else { $attached = $database->query("UPDATE `links` SET `link` = '" . session_id() . "' WHERE `code` = '" . $sid . "'"); if (!$attached) trigger_error("Failed to attach; Link file wasn't created.", E_USER_ERROR); } if (isset($_REQUEST['redirect'])) { header("Location: " . $_REQUEST['redirect'], true, 307); exit; } // Output an image specially for AJAX apps header("Content-Type: image/png"); readfile("empty.png"); }After that, you can completely remove links_path property and its initializing in __construct funnction.
Hope it helps
Thiet Doan: The script doesn’t return a 403 http response, so check the URLs and otherwise look at the apache error log.
I guess I don’t see how line 75(server) evaluates false when it is being set every time in the cookie by the broker on line 205(broker). If this evals true everytime (mine does) it will never get to line 103 where the client_addr is set. What am I doing wrong? Should this be evaluating false the first time around?
Ok, I see how it’s supposed to work. It does indeed evaluate false the first time through on the attach. The session appears to be set (the first time through). But the second time the sessionStart() is fired, the $_SESSION[client_addr] is no longer set. Do you know what may cause that?
Mathias: If no session variables are set, the broker probably isn’t using the session file that was created by the client when connecting to server.
On line 85 AND line 103, insert
header('X-SessionId: ' . session_id());Use something like tamper data (firefox) or fiddler (windows) to check the HTTP headers. Check the session dir and see if the session file of the broker is a symlink to the session file of client.
Hi Arnold,
First I would like to thank you for your nice work! It’s so great to find this kind of help.
I have a particular question about your single sign on. I would like to implement it on my website to allow my partners to use my API.
At the present time, my partners insert my API on their own website for their own users. But these users have to register and then login when they come to the API pages.
My question is, can I use your single sign on script to allow to my user’s partner to log on once only?
And my second question is, if my partners have their own users registered in their DB, will I have to registered their users first on my own DB before? Or will I have to create accounts on the fly?
I don’t know if I’m clear enough so please let me know,
Thanks again,
Alexandre
Alex: In this example, the SSO-server does all the authentication, though the brokers collect the username and password. That means that a.) the brokers need to be completely trusted (aka your sites). This is probably not the case for partners. And b.) it assumes that the SSO-server holds all user information and the brokers hold none.
If the SSO-brokers hold their own user information, the role of the SSO-server changes. He no longer has to do authentication, the broker can simply tell the server that that user is logged in. The server can tell the next broker, that this user is logged in. For this the SSO-servers needs to know which user of broker A is which user on Broker B.
Example; I’m known as ‘arnolddaniels’ on LinkedIn, but as ‘adaniels_nl’ on Twitter. LinkedIn would tell the SSO-server that ‘arnolddaniels’ has logged in. If I would visit Twitter next, Twitter would as which user is logged in. If the server would reply ‘arnolddaniels’, this would not work.
That whole issue can be overcome by not having the brokers pass a username, but pass an e-mail adress instead. In that case, the server does not have to create any accounts (not at forehand and not on the fly).
Hi Arnold,
Thanks for your answer.
I think I got it. So in my case, if I want to allow my Partners to use the single sign on for their own users, I will need to ask them to import first their users into my own DB (through a CSV file and a simple form in my front site for e.g).
Then, once their users have been added to our DB, I could match them thanks to their email as the ID as per your suggestion.
So finally, User A) will go to Partner site and connect to their own DB during the authentifaction, then once he will come to our API included inside the Partner site, he will be automatically recognized and logged in (so we could save information related to this particular user in our own DB when he will use our API).
This sounds good, but I have another question: How can I have the Partner’s users list always up to date?
I mean, I can’t ask to my Partners to update their user’s list everyday through my website thanks to a .CSV file for e.g… it’s too constraining… Do you have any idea for this?
Alex.
Alex: ehh no… The server doesn’t need to have any account information of the users.
User A will go to Partner X site. He will be redirected to the SSO-server, where a new session is created and attached. Partner X asks if the user is already logged in and the SSO-servers replies ‘no’. User A logs in at Partner X. Partner X sends the e-mail address to the SSO-server. The SSO-server will save this e-mail in the attached session.
Now user A visits Parner Y site. He will be redirected to the SSO-server, where his existing session is attached. Parner Y asks if the user is logged in and the servers replies with the e-mail adress. Parner Y looks up the user in his own DB based on the e-mail adress and logs in the user without asking for a password.
Do know that you need to completely trust all partners. An administrator of any partner can get into any account of any other partner, without having to specify a password. This is due to the fact that logging in to any of the partner sites means you’re logged in to all of the partner sites.
Sorry but I have some difficulties to understand properly the whole process.
When you said:
“Now user A visits Parner Y site. He will be redirected to the SSO-server, where his existing session is attached. Parner Y asks if the user is logged in and the servers replies with the e-mail adress. Parner Y looks up the user in his own DB based on the e-mail adress and logs in the user without asking for a password.”
=> What happens if User A is not in Partner Y DB?
The thing is, all my partners will have different DB (obviously) with different users so how User A could connect to Partner Y site although User A is a user of Partner X?
Also my main goal is to allow the registered users of each of my partners to connect to my own DB / users system when they will use my API without having to sign in again (twice: first on the partner home page, and then when they come to our API included in Partner’s website pages).
But my partners won’t accept to share their users credentials with the others partners…
Actually, I though I could use your Single sign on like the following procedure:
- http://getsatisfaction.com/developers/fastpass
- http://getsatisfaction.com/developers/fastpass_technical
Is it possible?
Thanks again, and sorry for my misunderstanding,
Alexandre
Alex: Remember, the trick of this whole method is shared sessions. The broker (the server of your partner site) can use the same session as the client, therefore the broker can do anything the client (user) would normally do. This can be logging in, but also registering, adding a product in a shopping cart, enabling a service, etc.
After logging in on the partner site, the broker might tell the server that user ‘somebody@example.com’ has logged in. The server should return whether or not the user exists (as HTTP response). If the user does not exist, the broker can send the user information to the server, which can create a user OR the broker can simply redirect the client to register himself. If the sign-on is only 1-way, simply leave out the part where the broker requests the e-mail address of the logged in user.
Also, if I understand correctly, sessions shouldn’t be shared between brokers. The best way to solve that is to make 1 subdomain per broker, eg:
http://partner-x.example.com
http://partner-y.example.com
This can be done by a virtual host with ‘ServerAlias *.example.com’. Than get the broker name from $_SERVER['HTTP_HOST'] instead of from $_REQUEST['broker'].
Hi Arnold,
First I would like to thank you for your great work.
I have two domain name like http://testsso.com/test/ and http://session.com/session/ how i will configure?.I am new to this concept can you please explain.I got the error.i am using php 5.2.3 version and apache
Uncaught exception ‘Exception’ with message ‘SSO failure: The server responded with a 404 status: “Object not found! Object not found! The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. If you think this is a server error,
Thanks
Sriman
Sriman: The url to the SSO server (in broker/sso.php on line 16) is not configured correctly.
Hi Arnold,
Thanks for your help,After i give proper url i got the
Uncaught exception ‘Exception’ with message ‘SSO failure: The server responded with a 406 status: “Not attached”.’ in C:\xampp\htdocs\phpsvn\test\sso.php:161 Stack trace: #0 C:\xampp\htdocs\phpsvn\test\login.php(8): SingleSignOn_Broker->getInfo() #1 {main} thrown in C:\xampp\htdocs\phpsvn\test\sso.php on line 161.why its coming error.whats the problem?can you help me.
Thanks
Sriman
Sriman: Please read the comments of the properties of the class SingleSignOn_Broker and class SingleSignOn_Server. Most of them are settings. You should configuring them. Also read the comments below the article. In there this question is already answered.
In this case, since you are using Windows, you can’t use symlinks. Instead use normal files for attaching by setting $links_path ( server/sso.php line 15) to some kind of tempdir.
Hi Arnold,
First of all Wishing you a Merry Christmas…..
still i have big doubt that is i login to gmail account… now go to my localhost give that gmail url as public url in broker sso.php and url not specify the any php file just url of gmail.i configure the ur code in my localhost.is it possible to autologin in my site when i login gmail……kindly give some clarification of example….please.
Thanks
Sriman
sriman: This is an example of how to set up your own Single Sign-On system, with your own user data. It has absolutely nothing to do with Google accounts / GMail or those kind of things.
To validate google users, you need to use OpenID. See http://code.google.com/intl/nl/apis/accounts/docs/OpenID.html
sriman: The download is not a install and configure application. This is an example showing how to implement SSO in your own application. Installing this software on your server should give you the exact same functionality as the demos. You can log in with the users, set on server/sso.php line 43.
You need write your own authentication implementation, replacing login() and info().
Again, this is just an example, not a full fledged SSO solution. If you need that, look at simpleSAMLphp.
This is all I can say about this. Just read the article and comments carefully. You’ve asked nothing that is not explained in there.
Very informative article. This just made things quite clear. Specially i like the part when images have been explained using http response codes.
Hi,
Interesting article. One point I don’t quite understand is what information a second broker is passing to the SSO server which allows it to be linked to the session of the first broker. Am I correct in thinking that the client IP address is used to identify the client on multiple domains? Thus if the IP address of a logged in client is known then security is compromised?
Thanks,
Paul
Paul: No, the IP is purely against session hijacking and can be left out.
Read the article again and look at the images more closely. Don’t try to deduce the working by looking at the code. The trick lies in the broker token that is issued by the broker, than passed to the client, which passed it to the server. The server knows who the client is by the session cookie.
Does anyone have any idea of how to customize this so that it uses a database to store brokers, users, and sessions. Need it to be able to easily scale to support anything from 3 sites to 50 sites and an unlimited number of users.
Thank you, it really works, We’ve implemented your code on program using CI framework. Still wondering if it can be used with Moodle.
Hi Arnorld,
it works fine on my localhost, nice share..
@nizar : it would be nice if you could share your implementation on CI application…
Hi Arnold,
I copied ur server/sso.php to sso.sahooshare.com and broker directory contents to http://www.konnectp.com, but still it won’t work.
It displays the below error when i try to access http://www.konnectp.com.
Fatal error: Uncaught exception ‘Exception’ with message ‘SSO failure: HTTP request to server failed. couldn’t connect to host’ in /hsphere/local/home/sarada/konnectp.com/sso.php:216 Stack trace: #0 /hsphere/local/home/sarada/konnectp.com/sso.php(155): SingleSignOn_Broker->serverCmd(‘info’) #1 /hsphere/local/home/sarada/konnectp.com/index.php(7): SingleSignOn_Broker->getInfo() #2 {main} thrown in /hsphere/local/home/sarada/konnectp.com/sso.php on line 216
broker= http://www.konnectp.com/index.php
sso server= http://sso.sahooshare.com/sso.php
but still it shows the above error.
Please help me.
Thanks in advance.
Sarada The broker is unable to connect to the server. Make sure you have the right URL in broker/sso.php on line 16. Check if there is a firewall in place blocking outbound traffic on port 80.
Hello Arnold,
I have given correct url in my broker. U can see as below.
public $pass401=false;
public $url= “http://sso.sahooshare.com/sso.php”;
public $broker = “LYNX”;
public $secret = “klm345″;
I can able to access the above server url, its working.
But as you said how can i know whther there is a firewall which blocks port 80 or not .
Could you please help me.
Thanks in advance.
Sarada This is a system administration problem, not a software issue. If you’re not the sysadmin, please consult your sysadmin. If you are the sysadmin, you should know how to solve this.
Hi Arnold,
It was some system issue. I consult the System admin and it got fixed. Now it is working.
You can see the demo at @ http://www.konnectp.com
Thanks.
Hi Arnold,
How to implement the single sign in my site.
give me proper explanation in step by step. i am new to this concept .
Give proper response is appreciated.
Thank
Jack
Hi Jack ,
This is about as step-by-step as it’s going to get here. Make sure you read the article carfully, so you understand the concept behind the code.
You might want to take 3 steps for implementing the SSO solution in your own site:
1.) Download the code from GitHub and get it working, as is, on your server.
2.) Replace line 140 of server/sso.php with a method that check the referentials against your database. Replace function info() to get the user info from the DB.
3.) Copy/paste line 1 to 10 from broker/index.php into your own site. Replace broker/login.php with your own login screen.
If you need more help, try one of the many PHP forums like http://forums.devnetwork.net
Good luck
Hi Arnold Daniels,
Thanks for your help.I follow the what your mention.
If any doubts kindly help me.
Thanks
Jack
Hi Arnold,
I have started to implement SSO in my http://www.test.com.
1. I just down load and copy the your folder in to my test.com.
2.I made changes that in server/sso.php for credential and get user info based on userName and password.
3. you said Copy/paste line 1 to 10 from broker/index.php into your own site where i am going to copy the that 10 lines?
4.i have copy that login screen in my own.
could you please help me to finish the task…
Thanks
Jack
Jack: Some advise in advance, after each step, make sure that the app is working properly.
Line 1 to 10 from broker/index.php checks if a user is logged in. If that is not the case it redirects the client to login.php. If your site doesn’t require a user to be logged in, you don’t need it.
Hi Aranold,
Thanks for your advise. App is working fine and i integrate your code in my site and logged in my site of your broker login and after that i refresh your demo http://sso-alex.adaniels.nl/index.php its logging in with out log of again and if log out your demo site in mysite broker also logout.
So i reached the single sign on or i need to do any thing else……
Kindly explain to finish the task….
Thanks
Jack
Jack I don’t understand your last comment.
In the end you should be using your own SSO-server and SSO-brokers. The brokers are your websites which share their authentication. Based on the article and my previous comments you should be able to implement your own SSO solution.
Please remember that this is not a help forum.
Hi Arnold,
I have downloaded the files from github and ran it on Linux and Windows, but I couldn’t make it work properly. Maybe I’m missing something, but there’s a strange problem.
Suppose that you copy the directory broker with a new name like broker2. Now it’s supposed to have SSO between /broker and /broker2 but it’s both of them work separately and once logged in /broker , there’s no SSO in /broker2
The most strange part is that on windows they work completely separate, but on Linux once you log in /broker and then open a page to /broker2 , you will be logged out of /broker !
Thanks
Hi Arnold,
i have made changes as mentioned above.
i made changes as
server/sso.php
array(‘secret’=>”abc123″),
‘BINCK’ => array(‘secret’=>”xyz789″),
‘UZZA’ => array(‘secret’=>”rino222″),
‘AJAX’ => array(‘secret’=>”amsterdam”),
‘LYNX’ => array(‘secret’=>”klm345″),
);
/**
* Information of the users.
* This should be data in a database.
*
* @var array
*/
protected static $users =”select * from mdl_user where username=’$username’ AND password=’$password’”;
and
IN BROKER/sso.php as
<?php
/**
* Helper class for broker of single sign-on
*/
class SingleSignOn_Broker
{
/**
* Pass 401 http response of the server to the client
*/
public $pass401=false;
/**
* Url of SSO server
* @var string
*/
public $url = "http://localhost:81/broker/sso.php";
/**
* My identifier, given by SSO provider.
* @var string
*/
public $broker = "LYNX";
/**
* My secret word, given by SSO provider.
* @var string
*/
public $secret = "klm345";
/**
i am getting login page tats all.. nothing is working
Hi,
Thanks for a great sso implementation.
I did implement it with database(actually using webservices provided by one of our .net site) in my local server and every thing works great.
The problem is when I uploaded it to live server.the first time i load the site, it goes directly to my sso_server.php file(seems it redirects physically ).
second time i load the site, i get 406 error.
IF i clear my cookies, the same thing happens.
Is it some kind of settings i need to do ffor production?
we have a linux dedicated box with apache and php 5.12
have mamp in may local computer on mac.
Other thing.
I do get 406 error in my local computer some time. I think it’s when I don’t logout and local cookie expires. Guess something with session expire. butright now i am really looking to make this thing work on my real server.
Thanks for a great implementation.
Fatal error: Uncaught exception ‘Exception’ with message ‘SSO failure: The server responded with a 406 status: “Not attached”.’ in C:\apache2triad\htdocs\SSO\sso\broker\sso.php:161 Stack trace: #0 C:\apache2triad\htdocs\SSO\sso\broker\index.php(5): SingleSignOn_Broker->getInfo() #1 {main} thrown in C:\apache2triad\htdocs\SSO\sso\broker\sso.php on line 161
please help me…
i use windows 7 and apache2triad with PHP 5.1.2
thanks before…
David Make sure that the brokers are configured with different identifiers.
vij Changing $users to a database query won’t work. This example doesn’t have database support. You need to add that yourself. See comment 87.
Sam Make sure that the symlinks to the session files are created correctly. Have a look at the remarks in some of these comments about ‘Not attached’ issues. Ask again if you’re unable to fix it.
dacus Try manually setting $links_path in broker/sso.php and make sure you can write to that path.
Hi Arnold,
Well my windows machine creates 2 files for 2 brokers I have set ( using the same broker name ) as follows :
1. sess_SSO-LYNX-dfe09fcdc0a9e9d7f31aa39d15e9f794-9d0d2a9eb1468eb324502615d9a427dd
2. sess_SSO-LYNX-7488f04b107e05e943d027531a871688-172c95da16538918869b814bb0fae579
at the time I just visit the broker’s page. when I login, the content of the session files changes and includes information. But the wrong part is that when I login in /broker1 it only changes one of the session files and when I refresh the page on /broker2 it still thinks that I have not logged in!
I just downloaded the files again and made no changes on the files. I have no idea why it’s not working properly on my machine. Maybe it needs some PHP settings that are not set on my machine!
Thank you in advance for your kind help
hi arnold,
now , i got it
Warning: SimpleXMLElement::__construct(): Entity: line 1: parser error : Start tag expected, ‘__construct(’1′) #1 C:\apache2triad\htdocs\SSO\sso\broker\sso.php(158): SingleSignOn_Broker->parseInfo(true) #2 C:\apache2triad\htdocs\SSO\sso\broker\index.php(5): SingleSignOn_Broker->getInfo() #3 {main} thrown in C:\apache2triad\htdocs\SSO\sso\broker\sso.php on line 143
thanks
David Do not use the same name for multiple brokers. A name (identifier) needs to be unique per broker.
Those sess_SSO files should be symlinks to the same session file. Please check if this is the case. If this is not the case, check if the attach request is done (using fiddler, tamper-data, live-http-headers, or something similar).
dacus The info function in server/sso.php isn’t outputting valid XML or you output other (debugging) text.