Authenticating across domains : How to?

Before you write off this question as a dupe, I would like to add that there are a few questions with the same subject/title on SO, but this one is a little different, coz most/all of them involve SSL and my question doesn't.

www.mysite.com is my website and it was built using wordpress cms. I am supposed to be building a user management feature (I guess wordpress provides this by default/would need a few plugins) on my website. When a user logs on into www.mysite.com, I am supposed to authenticate this user against www.thirdpartysite.com. This is a little similar to say OpenID in a way, but only that www.thirdpartysite.com does not offer/support any other authentication scheme other than web-based authentication.

So, am I pret开发者_高级运维ty much stuck here with this problem? What would be the best way to proceed here? Do I go tell www.thirdpartysite.com that they would need to expose an API for authentication? Or can I use AJAX here and have a piece of code do authentication in the background to www.thirdpartysite.com - I am not sure if it is possible.

I wouldn't use AJAX here, I would use cURL.

Do a test on www.thirdpartysite.com with valid and invalid credentials to find a way to programatically determine if the login was successful or not. You might find the status codes are different, or that the page is redirected when login succeeds.

Once you have a way to determine successful and unsuccessful logins, create a login form on www.mysite.com. When a user tries to login, in the php code on www.mysite.com handling the post, send a corresponding post to www.thirdpartysite.com (e.g., using cURL). If the login to www.thirdpartysite.com succeeds then treat the user as authenticated, create the session and cookies, etc. If the login to www.thirdpartysite.com fails, then display an error back to the user.

There are security considerations that come into play with this approach as www.mysite.com will have access to the www.thirdpartysite.com username and password for users that login to www.mysite.com. This is something they may or may not trust you with.

The best thing you could do is to create an ajax request which pass SESSID to authenticate on all your sites. It is possible, if you're using, for example JSONP