We now support automatically logging in to any site in the Stack Exchange network.
By that I mean, as long as …
- You have recently logged in to any Stack Exchange network site
- You hold an existing account on the target site you’re navigating to
- You are using the same OpenID credentials
… the site you’re navigating to will automagically log you in! You’ll see a notification bar at the top to let you know when you’ve automatically logged into a site.
(We just forced every registered account in the entire network to log off and log back in to ensure that everyone has logged in under this new regime — so everyone should meet criteria #1 by definition.)
Global logins are tricky for us because we need cross-domain identity. That is, each of the following sites should, somehow, just magically know who you are:
(not to mention that all current Stack Exchange 2.0 sites will eventually have custom domain names of their own choosing.)
While subdomains such as
meta.serverfault are easy if you store your cookies the right way, getting access to cookies at different domains is, to put it charitably, a friggin’ nightmare. The whole third party cookie story — that is, reading or writing cookies stored at a domain other than the one you’re currently on — is irreversibly screwed up, and getting worse with every new browser release, thanks mostly to unscrupulous ad networks.
So, we gave up on using third-party cookies. Instead, we use HTML 5 Local Storage for global authentication, at our centralized domain stackauth.com. Now, this does require a modern browser, though not unreasonably so: IE8+, Chrome, Safari, FireFox 3.6+, and Opera 10.61+ are all supported.
Kevin has labored mightily to get all this working, and we’ve been silently running beta revisions of global auth across the network for the last two or three weeks as we work out the kinks and test. We now think it’s (mostly) ready for prime time.
As with all things technically complex, there are some caveats. Global auth should work fine in the typical case — and even if global auth is completely down, it can never prevent you from logging into a site the traditional way. But please be advised that we may not be able to automatically log in you in, if …
- You’ve been to the target site recently without a global auth session (click the “login” link at the top of every page to force it)
- You’re using some sort of anonymizer that interferes with HTTP Referrer
- You aren’t using the same OpenId across all sites
- You’re visiting a per-site meta without first logging into the parent (child metas don’t use global auth; they rely on identity coming from the parent site.)
(And if you’re looking for excruciating technical detail on how this all works, Kevin has documented that here on meta.)
If you have issues with global auth and need to troubleshoot, I suggest starting by forcing a global logout — you can do this by clicking “log out”, then clicking the big “log out everywhere” button.
Bear in mind that you must hold accounts on the sites — global authentication will not automatically create accounts for you (with the lone exception of http://stackexchange.com itself). That said, as long as you’re logged into one account in our network, you should now be automatically logged into all your accounts.
Do you love network security? If so, there is plenty of work to be found. Check out the latest opportunities in our network security job listings.