Understanding Single Sign-On (SSO): Concepts, Browser Flow, and Cross‑Domain Issues

Concept

Single Sign‑On (SSO) is a popular enterprise solution that lets a user log in once and then access all mutually trusted applications without re‑authenticating.

Prerequisites

Same‑origin policy restricts how documents or scripts loaded from one origin can interact with resources from another origin; the protocol, port, and host must match.

HTTP is a stateless application‑layer protocol, so the server cannot identify a client without a token such as a cookie.

Cookies are client‑side storage mechanisms set via the Set-Cookie response header or document.cookie , and are sent with each request; subdomains can read parent‑domain cookies.

Sessions are an abstract concept for tracking a series of HTTP requests from the same client, typically implemented by a SessionID cookie.

Single‑System Login

When a user accesses a login‑required application, the browser follows a series of steps (illustrated by the accompanying diagram) that result in a session cookie being set, allowing subsequent requests to carry the cookie and be recognized by the backend.

Multi‑System Login Issues

Same Domain

Cookies are sent automatically, and the backend can retrieve the SessionID without any difference between single‑service and multi‑service scenarios.

Different Subdomains

Subdomain cookies are not shared by default, but a cookie set on the parent domain (e.g., demo.com ) can be accessed by both app.demo.com and news.demo.com , enabling cross‑subdomain SSO.

Completely Different Domains

By default, cookies cannot be shared across completely different domains.

Front‑End Cross‑Domain with Cookie

To obtain the login state via an asynchronous request, the front‑end can send a cross‑origin request with credentials:

xhrFields: {
  withCredentials: true
}

This requires the target server to enable CORS and explicitly list allowed origins (wildcards are not permitted when withCredentials is true).

CAS (Central Authentication Service)

CAS is an open‑source single‑sign‑on solution that uses redirection to a central domain to share authentication across different domains. The login flow involves redirecting the user to the CAS server, generating a Service Ticket (ST), validating it, and then discarding the ST after a single use.

Extended Reading

Related topics include Single‑Sign‑Out (SLO) and OAuth2, with links to further documentation.

Reference Documents

Browser Same‑Origin Policy: https://developer.mozilla.org/zh-CN/docs/Web/Security/Same-origin_policy

CAS Protocol: https://apereo.github.io/cas/5.2.x/protocol/CAS-Protocol.html

Call to Action

If you found this content helpful, please click “In View” and follow the "Zhengcai Cloud Front‑End Team" public account for more curated articles.

Recruitment

The Zhengcai Cloud Front‑End Team (ZooTeam) in Hangzhou is hiring front‑end engineers and full‑stack developers; interested candidates can email [email protected] .