Best way to test session in iframe of another domain

I have site A that embeds modules in iframe B. Modules may be different. The user has an authenticated session at A and I want B to refuse to boot unless the user has a valid session at A. B doesn't need to know anything other than that the user has an authenticated session with A. No session data needed.

Neither A nor B is currently keeping up with HTTPS, but I want to change that as soon as I can convince the people upstairs to buy an SSL certificate.

So, I thought of two completely different schemes to do this in a safe way, but I'm not sure which one would work better, so I hope to get some feedback here. Any help is appreciated!

Option 1

  • Adds ?session=SESSION_ID

    to B URL
  • Server side script in B retrieves the session id and does a GET A/verify?session=SESSION_ID

  • Answers with 200 OK or 403 Forbidden
  • If the answer from A was 200, the user is considered authenticated, access to B is allowed

get even

  • Easy to implement
  • No general configuration required (other than the url B already knows)


  • B must communicate with A, which increases the load time
  • Session IDs should be kept secret - really shouldn't be transmitted
  • Susceptibility to repeated attacks (as long as the session is valid)

Option 2

  • Encrypts a block of data containing a timestamp, url, url B and salt with a key shared between A and B and appends it to url B
  • The server side script in B decrypts the data block, validates the urls, and makes sure the timestamp is not too old.
  • If everything is checked, the user is considered authenticated and has access to B

get even

  • No server-to-server communication
  • The session id is never passed to B
  • Immunity to repeated attacks (outside of the time delay allowed for the timestamp)


  • Harder to implement
  • A and B must be synchronized in time
  • A and B need to split the key

source to share

1 answer

Option 3


generates a random hash and stores it in the database table along with the session id (two fields). A

passes a hash to each url for B

like `B /? hash = x '


checks if the hash matches any in the database table and also checks if the session id is complete (can be output or terminated) and then reports B

if it is good or not. How A/verify?hash=x


As you say, you do B

n't need to know anything other than if it is authenticated or not.

So the session id is not passed in the url, which you say is not ideal.



All Articles