single signon

Right now we have a very primitive security system:

• There is no SSL, no certificates. (Makes it much easier to put up a server.)
• There is no encryption. (No restrictions on running in France or anywhere else.)
• Persistent cookies are optional and hold the user name and a sha hash of the password.
• There is no delete user or change password.

With such a system, it should be trivial to impliment single signon:

1. The user clicks on a link to the server being used (the link contains a request for another server).
2. The server creates a redirect with the user name and a token for the other server. (The token consists of the time and a sha hash of the time and the user password.)
3. The browser redirects the user to the other server, passing the username, token, and request.
4. The other server does a session logon (cookieless) and returns the requested page. If the user did not exist or the login fails, the login/registration page is displayed.

The key here is for the user to have the same name/password on all servers. Then it becomes pretty seamless.