How to start a valid user session inside an iframe

StackOverflow https://stackoverflow.com/questions/22621363

Question

I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.

Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).

Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.

I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.

I've sketched a quick diagram to better show what I mean/need:

a busy cat http://gettaxi.me/public_img/help.png

I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).

Idea list so far:

  1. I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.

  2. Same as above but store it in Master Site session variable.

  3. The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...

I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?

Additional questions:

  1. Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?

  2. If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?

Thanks in advance!

Was it helpful?

Solution

Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.

  1. User logs in to Master Site
  2. Validate credentials
  3. Generate a random client token
  4. Encrypt the password with that token and store the crypto in a session variable
  5. Set a cookie and store that token in users browser

jQuery actions when Link to Site 1 or 2 is clicked:

  1. Send an ajax request to server with that token
  2. Validate user session and decrypt stored password on success
  3. Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
  4. Submit that form with target="iframe"
  5. Clear those form pre-filled form fields

Vuala, a working cross-domain iframe auto-login...

Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.

Update:

Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.

Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top