javascript - How to start a valid user session inside an iframe -


i need setup master site embed site 1 , site 2 in iframes, login , start user sessions within them.

site 1 (ror) , site 2 (unknown framework) has got own authentication (username, pass, cookies, usual framework security).

master site (php) server has direct access site 1 database , know password hashing algorithm can validate master site's login password against site 1. site 2 can passwords changed accordingly if needed, no access db nor framework.

i cannot change in either site 1 or site 2, unfortunately. can build around though full read access site 1 present.

i've sketched quick diagram better show mean/need:

a busy cat http://gettaxi.me/public_img/help.png

i need start user session inside iframe. login credentials of site 1 identical master site's come same db, credentials site 2 assumed same (might show login failed if they're not).

idea list far:

  1. i record login credentials master site cookie , use populate iframe fields. maybe store encrypted version , decrypt when needed? still, storing password in cookies (even encrypted) seems absurd.

  2. same above store in master site session variable.

  3. the idea of cross-domain cookies seem useless here because every site has set it's own session cookies, 1 website can't set another...

i've never dealt cross-domain before. before go , start coding things mad man might or might not work - turn , advice! how go accomplishing this? possible @ all?

additional questions:

  1. do cookies set site 1 , 2 within iframes behave same? persistent , if i'd open same website not in iframe later, accepted?

  2. if storing credentials (cookies/session) way go: how populate login fields in iframe , submit form? javascipt? neat get/post/redirection trick?

thanks in advance!

ok, turned out quite simple. , stick downvoters ... face - i'll post own solution here, knows, maybe find useful.

  1. user logs in master site
  2. validate credentials
  3. generate random client token
  4. encrypt password token , store crypto in session variable
  5. set cookie , store token in users browser

jquery actions when link site 1 or 2 clicked:

  1. send ajax request server token
  2. validate user session , decrypt stored password on success
  3. send password client , pre-fill username , password fields of hidden form mimics iframed website's login form
  4. submit form target="iframe"
  5. clear form pre-filled form fields

vuala, working cross-domain iframe auto-login...

of course there's more going on hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon user action , on, main thing works! yes, password sent in plain 3 times none of websites have https in place anyway. password not stored in plain either.

update:

spoke soon. there issues ie , safari when iframe content returns access-control-allow-origin headers. stronger security policies treat iframe content caution , not allow session cookies saved. can either fixed dropping privacy setting notch in ie, allowing 3rd party cookies in safari or detecting browser , if it's 1 of above - open in new tab/window.

otherwise, works fine in: chrome, firefox, opera , maxthon


Comments

Post a Comment

Popular posts from this blog

user interface - How to replace the Python logo in a Tkinter-based Python GUI app? -

is there way change default logo, python logo , appears in window's task bar? notice have replaced default tk logo used appear in application window. i using windows 7 , python 2.6 , developing gui of tkinter. you can using winico tk extension package. winico package can used add system tray icons tk programs. the following sample shows 1 way change runtime application icon. note need provide .ico file suitable sizes of icons in on command line , need use pythonw. not change taskbar icon console when running python script. test extracted winico0.6 package python\tcl\winico0.6 folder package require winico work , ran code below using pythonw winico_test.py path\to\some\ico\file.ico . import sys tkinter import * def main(argv): root = tk() root.update() root.tk.call('package','require','winico') id = root.tk.call('winico','createfrom',argv[1]) root.tk.call('winico','setwindow',root,id...
Read more

objective c - Greedy NSProgressIndicator Allocation -

i'm using bunch of nsprogressindicators @ once (32 exact) , looks when they're animating start allocating memory no one's business greedy_run http://i62.tinypic.com/15rgmso.png i've got reports app slowdown , crash after days of uptime, , looks culprit, it's hard pinpoint bugs take days appear. i comment out call start animating, memory behaves expected. result of multiple nsprogressindicators alloc'ed on same thread? or maybe sandboxing? of constant allocations coming core animation threads, don't know else going on. custom nsview progress indicator lives in @interface myview () @property (nonatomic, strong) nsimageview *imageview; @property (nonatomic, strong) nstextview *numbertxt; @property (nonatomic, strong) nsprogressindicator *progress; @end @implementation myview - (id)initwithframe:(nsrect)framerect { self = [super initwithframe:framerect]; if (self) { // image nsimage *image = [nsimage imagenamed:@"bg.png"]; c...
Read more

how to set an OCR language in Google Drive -

i need upload image google drive including ocr feature. the problem setocrlanguage method. need specify hebrew language , based on iso 639-1 codes should "heb". i'm getting response "code" : 400, "errors" : [ { "domain" : "global", "location" : "ocrlanguage", "locationtype" : "parameter", "message" : "invalid value", "reason" : "invalid" } ], any idea should code or can list of avaliable codes?
Read more