Sorry, I just realize that I had another seemingly untrue assumption:
get to site1 from site2 and vice-versa. Without this assumption, I can
how this is a very difficult problem. So, then, is this really
the two sites are to be completely separate from each other, why do you
to keep the login information the same?
You can’t check IP address because those change.
Anything else you check will require the user entering in something, so
might as well just be an unlinked login system (even OpenID, unless
some desktop utility to auto-fill such fields, will require the user to
enter in the login).
And if you require the user to enter in just the login name, there is a
large security hole by not also requiring password.
So if the sites are related, and one clicks on links on site1 that take
to site2, then my solution will work, passing along a key through GET or
POST. Otherwise, if the user manually visits each site, they’ll need to
enter in full credentials.