Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.
- User logs in to Master Site
- Validate credentials
- Generate a random client token
- Encrypt the password with that token and store the crypto in a session variable
- Set a cookie and store that token in users browser
jQuery actions when Link to Site 1 or 2 is clicked:
- Send an ajax request to server with that token
- Validate user session and decrypt stored password on success
- Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
- Submit that form with
target="iframe"
- Clear those form pre-filled form fields
Vuala, a working cross-domain iframe auto-login...
Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.
Update:
Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.
Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon