Sorry, I just realize that I had another seemingly untrue assumption:
users
get to site1 from site2 and vice-versa. Without this assumption, I can
see
how this is a very difficult problem. So, then, is this really
necessary? If
the two sites are to be completely separate from each other, why do you
want
to keep the login information the same?
You can’t check IP address because those change.
Anything else you check will require the user entering in something, so
it
might as well just be an unlinked login system (even OpenID, unless
there’s
some desktop utility to auto-fill such fields, will require the user to
enter in the login).
And if you require the user to enter in just the login name, there is a
very
large security hole by not also requiring password.
So if the sites are related, and one clicks on links on site1 that take
you
to site2, then my solution will work, passing along a key through GET or
POST. Otherwise, if the user manually visits each site, they’ll need to
enter in full credentials.
Jason