$Id: README.txt,v 1.1.2.1 2008/03/21 06:07:42 dalin Exp $

Multisite Login allows a user to login to all sites in a multisite configuration, even though the 
multisites do not share domain names.  It was designed to be an alternative to the singlesignon module
but using a technique that does not block search engines from accessing your website.


**INSTALLATION**

1)  Install and Setup multisite_api before using this module. 
2)  Adjust the settings in multisite_api to control which sites are logged in to.  Multisite_login 
		will login to all sites that match the current site's visibility and server.
3)  In order for this to work, the following tables must all be shared across all non-excluded sites:
      multisite_login
      sessions (the next version will remove this limitation)
      users
    If you are not already sharing the users tables, this module is of no use to your site setup.
4)  Install and enable this module and multisite_api on all of your multisites
5)  Login to one of the sites
6)  If you are an administrator, you will see a string of single-pixel images at the bottom of the page, 
    one for each partner site (If you are not an admin, the images are hidden via CSS techniques). A 
    black image indicates a successfull login, red means failure.  Check admin/logs/watchdog on the 
    partner site to see why a login failed.


**TECHNIQUE**
When a user logs into a site, the returned html will include several image tags, one for each partner 
site. The url of the image will include a query string which provides enough information to login the 
user on the partner site. A cookie belonging to the partner site is then stored on the user's browser. 
Partner sites return 1x1 images. 

*Originating Site*

On hook_user $op = login
- query each partner site via image tag
- img src has a query string that includes  double-munged password, uid, and the session id encoded 
  in a reversable hash

*Partner Site*

Via a menu callback
- Check if uid/md5 match
- Check if IP matches what is stored in the session table for the given session id
- Check that the timestamp is recent
- Check that this sid hasn't been tried before
- log the user in
- store the sid so it can't be used again for a multisite login
- return image
- exit(0);

*Considerations*
We are passing a double MD5ed password, though not theoretically impossible to reverse engineer, 
if someone really wants to break into your site they would use a method that requires less work. 
If the query string _were_ to be somehow obtained by a third party, it could not be used by the 
third party to masquerade as the original user since logins are only allowed once per session id. 

**CREDITS** 		
This module was developed by 

Advomatic
http://advomatic.com

and sponsored by

Politicker
http://politicker.com
+ 50 state sites

and 
 
The New York Observer
http://observer.com