I would like to know if it is possible to allow users to log into multiple sites. Once a user logs into one of my sites, and they go to another of my sites, I would like for them to be automatically logged into the 2nd or even the 3rd site because they are already logged into the first site.
What you're describing is better known as single sign-on.
Many single sign-on processes, e.g. the Amazon single sign-on process, work roughly as follows:
- Elect one particular domain as your issuer. Each time that a user wants to sign on to a site or tries to access a restricted area from a site they haven't signed on to, they will be sent to a page on this domain (with a query string indicating where they came from).
- If the user has not already signed on, they are presented with a login form to enter their details, which are stored in a central database. If they log in successfully, a cookie gets set on the issuing domain so that they don't need to log in a second time.
- The user is redirected back to the site they came from with the absolute minimum of user information required passed through the query string, as well as a signature that can be used to verify the information.
- Assuming the information is verified to be correct, the user is now authenticated and a cookie can be set on the requesting domain.
The information gets passed along in the query string, e.g.:
The main things to bear in mind are:
- You should always be transmitting all of the data in this exchange securely, i.e. over SSL.
- The signature needs to be based on the query data and very difficult to forge, since it is essentially used to authenticate the user details. Amazon calculates an HMAC signature from the query string using a shared secret, for example.
And finally, one alternative you may not have considered but which might be appropriate: instead of doing all of this work yourself, you can be hip like Doctype or StackOverflow and use OpenID instead. Depending on your perspective this could be considered as the ultimate single sign-on experience, since your users can use the same credentials to sign on to any site that uses OpenID instead of just yours! You will almost certainly find an implementation in whatever language you are using if you Google for a few minutes.
I also would recommend a single-sign-on solution like OpenID, but bear in mind that you may have some explaining to do. If you expect your users to be less technically savvy, you can try Twitter OAuth or Facebook Connect.
Regarding your question about cookies: Cookies follow a same-origin policy. That means if your sites all share the same 2nd level domain, you could use the cookie from mysite1.example.com to be automatically logged in to mysite2.example.com. But the domain attribute for the cookie must be set to .example.com