Building a single sign-on feature (SSO) for stateless applications can be challenging. Stateless applications are the new way of building web applications. Back in the day, web applications would hold a session for each logged in user; this led to many issues in the area of scalability, availability and security. As modern web applications get more sophisticated, the need for stateless and micro-services increases.
A Stateless application is an application that does not save data generated in one session for use in the next session; each request to the web server is served independently from previous and subsequent requests. Sending the user identity alongside each request, using, for example, JSON web tokens (JWT), can help to eliminate the need for sessions.
Single sign-on is the technique for keeping users logged in on different applications. Think about Google apps, once you logged into your Google account, you can navigate between Gmail, Calendar, Drive, and so on, without the need to log into each individual. For applications with server-side sessions, using a centralized server know as sticky-sessions can achieve this goal.
At DOSarrest, we offer multiple applications, DSS, DEMS, and CAPP to name a few. We designed and implemented our stateless SSO, by leveraging the client-side cookies. We store the user identity in the cookies, those cookies have the domain setting as *.dosarrest.com. Which allow all subdomains to share the same cookies.
On the start-up of each client application, a check-up for the token cookie will take place. If at some point, there are no cookies, or if a response for a request returns an authorized 401, the client will redirect the user to the login app. After a successful login, the user will be redirected back to the origin app.
Taher Dameh
Developer, DOSarrest Internet Security
