Tell me more ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free, no registration required.
up vote 0 down vote favorite

I am hoping this is the correct stack exchange to be asking this, here goes.

I am building a new website whereby it implements its own custom login system. You simply register your username, email password etc. Then you're free to log in with the option of clicking "remember me" to save the hassle of logging in every time. For simplicity, let's call this the Custom Login System and an account a Custom Account.

However, I am very interested in integrating some 3rd party login systems via oAuth that are offered by the likes of Facebook, Google and Twitter.

My question is, is it feasible to have a mechanism whereby:

  • you log in via Google, for example
  • my script confirms the tokens and all that good stuff to ensure you authorised the login
  • I then ask you to either link your Google account to:
    • an existing Custom Account or
    • a new Custom Account by asking to register one after logging in with Google
  • once you've logged in to your Custom Account, I treat you like any other user except I assume the "remember me" option was ticked and set a cookie that logs you in from here on as if you were using a normal Custom Account the whole time.

This could essentially mean that I don't need to constantly query Google's servers, only during login. Then from there on, as long as they have a valid cookie they will stay logged in.

Is this possible? Are there any obvious flaws that I am missing out?

share|improve this question

1 Answer

up vote 1 down vote accepted

It doesn't look wrong at the level you are describing; there are certainly sites that offer both types of login (e.g., SourceForge). When you're dealing with this sort of thing, you're absolutely right to cache the information in the session; re-querying the oAuth provider on every operation would suck in terms of performance, and it would also be tricky to do given that these advanced web-based auth schemes are actually based off doing quite a bit of form processing.

However, you probably need to take some care to ensure that you don't open you clients to attacks by the nefarious. In particular, as the session cookie is now a real security token (after auth) you must make sure it is HTTPS-only and that it is only ever sent from one address (unless the client explicitly says “I know my IP address is liable to change”; some people are stuck with poxy proxies like that). You probably also need to make the auth-ness expire after a while, at least for more sensitive operations. There's probably more you need to think of as well, but I don't know the detailed state of the art in this area.

Getting all this right is a bit tricky as there are so many gotchas, so you should look for a library that handles the low-level details for you. I don't know the world of libs for PHP at all, so I can't mention anything specific. (Were you using Java I could help more…)

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.