Best way to test session in iframe of another domain
I have site A that embeds modules in iframe B. Modules may be different. The user has an authenticated session at A and I want B to refuse to boot unless the user has a valid session at A. B doesn't need to know anything other than that the user has an authenticated session with A. No session data needed.
Neither A nor B is currently keeping up with HTTPS, but I want to change that as soon as I can convince the people upstairs to buy an SSL certificate.
So, I thought of two completely different schemes to do this in a safe way, but I'm not sure which one would work better, so I hope to get some feedback here. Any help is appreciated!
to B URL
- Server side script in B retrieves the session id and does a GET
- Answers with 200 OK or 403 Forbidden
- If the answer from A was 200, the user is considered authenticated, access to B is allowed
- Easy to implement
- No general configuration required (other than the url B already knows)
- B must communicate with A, which increases the load time
- Session IDs should be kept secret - really shouldn't be transmitted
- Susceptibility to repeated attacks (as long as the session is valid)
- Encrypts a block of data containing a timestamp, url, url B and salt with a key shared between A and B and appends it to url B
- The server side script in B decrypts the data block, validates the urls, and makes sure the timestamp is not too old.
- If everything is checked, the user is considered authenticated and has access to B
- No server-to-server communication
- The session id is never passed to B
- Immunity to repeated attacks (outside of the time delay allowed for the timestamp)
- Harder to implement
- A and B must be synchronized in time
- A and B need to split the key
source to share
generates a random hash and stores it in the database table along with the session id (two fields).
passes a hash to each url for
like `B /? hash = x '
checks if the hash matches any in the database table and also checks if the session id is complete (can be output or terminated) and then reports
if it is good or not. How
As you say, you do
n't need to know anything other than if it is authenticated or not.
So the session id is not passed in the url, which you say is not ideal.
source to share