Cross Site Authorization 2

According to the results of the post made in July 2009 and lengthy trials, we came to a simple and optimal for us cross-site authorization scheme.

The task is to organize cross-site authorization between projects hosted on different domains (site1.com, site2.com). A user autologizing on one project receives authorization for all (Single Sign On). The same with the exit button (Single Sign Out). Each project has access to the session storage and database. On both projects, authorization is not required.
I want to emphasize that the issues of registration, storage and transmission of user data are not currently discussed, only the authorization is interested.

The task can be divided into three main parts:

1. Authorization - the user entered the login and password in the form.
2. Automatic authorization - the user clicked "remember me", or is already authorized on one of the projects.
3. Exit - the user pressed the "exit" button.

We agree that:

• site.com is one of the projects.
• sso.com is a general authorization server.

Authorization

User on site.com fills out a form. We encrypt in one line (token) and send a redirect to sso.com:

• Login.
• Password.
• "Remember me".
• url1 - the address to which must be returned if the authorization was successful.
• url2 - the address to which we go, if an error.
• The current time is to check for outdated tokens.

sso.com accepts the GET request, decrypts the data and checks the token creation time (no more than 2 minutes) and login / password:

• Login / password is correct: on sso.com we create a session and set a cookie. We keep the connection session ID and user ID in the database. Make a redirect to url1 with encrypted session ID and “remember me”. On site.com we hook up a session and set a cookie.
• Login / password is not correct: we redirect to url2.

Auto login

User logs on to site.com. Checking session cookie:

• Session cookie: check if there is a session
  
  • There is a session: the user is authorized!
  • No session: check in the database if there is a bunch of session ID and user ID:
    
    • There is a link: we raise the session and the user is authorized!
    • There are no bundles: we delete the session cookie on site.com.
• No session cookie: paste the javascript file with sso.com at the top of the page. The file is given to a PHP script that checks if there is a cookie on sso.com:
  
  • Cookie is: check whether the session is raised
    
    • The session is up: we are setting up a session cookie in JS and reloading the page to site.com. User is authorized!
    • Session not raised: check if there is a binding session ID to user ID
      
      • There is a connection: we raise the session and return the setting of the cookie to JS and reload the page on site.com. User is authorized!
      • There is no connection: delete the cookie and return an empty JS.
  • No cookie: return an empty js.

Output

The user on site.com presses the "exit" button. We lower the session, delete the session cookie, and redirect to sso.com with the encrypted return address. sso.com deletes the session cookie and the connection of the session ID with the user ID in the database. User logged out!

As you understand, this scheme works with any number of projects. A user logging in to one of them will be logged in at all. Same with the "exit" button.
')
I would be glad if our experience will be useful to you. Constructive criticism is welcome.

Update: Thank you DileSoft and divedeep for the valuable comments that are taken into account in this scheme.