Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
setting cookies crossdomain
Posted by: Kyo
Date: March 13, 2009 03:21PM

more of a PHP question than security, but still somehow related to security. Basically I have two domains - one that is basically an interface where users can control their sites and whatever, and then a domain with the sites itself - containing HTML. Right now I have the users logged in on the html-less site and not on the other, but I'd like to have them logged in on the other as well. There would be no "real" sensitive data exposed and no control. Basically just a control that lets them know which comments they can edit and what they voted.

Now if I want to do this, there are two questions:
1) how do I authenticate them? just a cookie with a user id? Nothing sensible exposed and no way of doing anything with it, so it's not a problem from the "remote logging in" side, but maybe some users don't want their votes exposed, and it could be used for site-creators to track who's been on their site. I could make it session based, but the session wouldn't last as long as the cookie set to keep the user logged in. I guess maybe some kind of verification string that changes with every login for a user.

But more importantly
2) How do I set the cookies on that domain? I can't find a solution that is not incredibly dirty. Iframes? Javascript? redirects?

Any ridiculously obvious solutions I'm missing here?

Options: ReplyQuote
Re: setting cookies crossdomain
Posted by: bd808
Date: March 21, 2009 07:49PM

So you are trying to accomplish:
client -> www.a.org -> login -> auth cookie for www.b.org

No sane browser will accept a cookie sent by *.a.org to be resent to *.b.org. There are things however that can be done that aren't to convoluted. Assuming you aren't barred from running some scripts on www.b.org, the simplest thing may be a redirect through a page at www.b.org to set the b.org domain cookie following the initial authentication at www.a.org. Conceptually something like this:

1) client sends user/pass to www.a.org
2) www.a.org validates credentials
3) http redirect to www.b.org and set auth cookie for www.a.org domain
4) client follows redirect to www.b.org
5) http redirect to www.a.org and set auth cookie for www.b.org domain
6) client follows redirect to www.a.org
7) login success screen

A tricky part here will be protecting the authenticated user data that is exposed in the redirect from a.org to b.org. Assuming that you can't do anything as easy as validate state via a database or other shared messaging system, you'll need to use either encryption or some sort of salted hash to prevent tampering and replay attacks.

Options: ReplyQuote
Re: setting cookies crossdomain
Posted by: Kyo
Date: March 22, 2009 06:33AM

yes, b.org is mine as well. They're on the same host so they share all the info, so a shared database is available, but b.org has user-generated HTML, so it should not have cookies that are of value to an attacker.

I've thought about doing this per XMLHttpRequest. Seems clean and efficient. Your solution is not too bad of an idea either, that leaves just the question of the cookie.
I could either take the pussy way out and just have it a userid, since no real sensitive data is on b.org. Making the auth cookie IP-dependent isn't too good of an idea, because that would make their authentication last shorter than the one on the main site.

Options: ReplyQuote


Sorry, only registered users may post in this forum.