Maintaining a login across three servers.

We have two major web applications that are each on a different server/location than our webpage.

Each application requires a login, and we would like to figure out a way to securely cross between the two. URL passing is not an option because of the security risk is poses.

Is there a way to maintain login info across servers? The next problem is that one application is written in EDIFY (I'm probably spelling that wrong, I've never touched the code) and another is written in .NET ASP. I do our webpage in HTML/PHP.

Maintaining a Cookie is probably also going to be vetoed.

as far as I know, it's not a easy job to do this.

if these apps are under the same domain name , maybe cookie is the simplest. if they are not, you may have to use the database to record login information and find a way to verify it.

you may look into some existing products on the market, maybe you can find some

I remember MS's Passport technology should be able to solve this, but that's too complex I think

well, i could imagine this to be possible. Especially if you are a php man, like me

1. grab visitor's ip address on site 1.
Store ip adress with login/password and timestamp of login.
2. on site 2:
2.1: check visitor's $_SERVER['http_referer'], if it contains server1's dns value, to verify visitor comes from server1.
2.2: If it does, grab its ip address.
2.3: query server1's database for that ip address. If ip exists, get timestamp value. If timestamp value Greater than [you decide how long ] show login form, else let him pass through.

this is just an idea, never tried it. Except the 2.1 step, which works fine.