I have site A that embeds modules in iframe B. Modules may be different. The user has an authenticated session at A and I want B to refuse to boot unless the user has a valid session at A. B doesn't need to know anything other than that the user has an authenticated session with A. No session data needed.

Neither A nor B is currently keeping up with HTTPS, but I want to change that as soon as I can convince the people upstairs to buy an SSL certificate.

So, I thought of two completely different schemes to do this in a safe way, but I'm not sure which one would work better, so I hope to get some feedback here. Any help is appreciated!

Option 1

• Adds ?session=SESSION_ID
  
  to B URL
• Server side script in B retrieves the session id and does a GET A/verify?session=SESSION_ID
  
  
• Answers with 200 OK or 403 Forbidden
• If the answer from A was 200, the user is considered authenticated, access to B is allowed

get even

• Easy to implement
• No general configuration required (other than the url B already knows)

Downsides

• B must communicate with A, which increases the load time
• Session IDs should be kept secret - really shouldn't be transmitted
• Susceptibility to repeated attacks (as long as the session is valid)

Option 2

• Encrypts a block of data containing a timestamp, url, url B and salt with a key shared between A and B and appends it to url B
• The server side script in B decrypts the data block, validates the urls, and makes sure the timestamp is not too old.
• If everything is checked, the user is considered authenticated and has access to B

get even

• No server-to-server communication
• The session id is never passed to B
• Immunity to repeated attacks (outside of the time delay allowed for the timestamp)

Downsides

• Harder to implement
• A and B must be synchronized in time
• A and B need to split the key