how to do single-sign-on (SSO) between two web apps, PHP and Java EE?

I have an existing Java EE web application running on GlassFish 3.1. Sign in works fine through the jdbcRealm configured in GlassFish 3.1.

Someone on another team is developing a separate web application in PHP, the boss doesn't want the user of the apps to have to sign in twice. That is, when they are signed in to the Java web app and they click a link that takes them to the PHP app, they should already be signed in to that app as well. (And vice-versa.)

Not sure how to implement this. I was thinking that I could generate a long random key (a token) that gets generated on log in of ei开发者_JAVA技巧ther app, and passed around in every web request for either app to identify a logged in user, but that doesn't seem safe.

I need pointers in the right direction.

You said

I was thinking that I could generate a long random key (a token) that gets generated on log in of either app, and passed around in every web request for either app to identify a logged in user, but that doesn't seem safe.

But that's essentially how sessions work.

Your best bet is to generate a unique login identifier (as you said) store it in a database or memory cache accessible by both apps and find a way to save it such that both web apps can retrieve it.

If both apps are on same root domain, you can use a cookie with path set to / so both apps can access it.

If both apps are going to be on different root domain then it will be a little more tricky.

As for security regarding the identifier token being passed around, you could regenerate the identifier on each request, which guards against cookie jacking.