Can two different clients somehow share cookies?

Question

Here's the set-up: I have a server-based application. So, all the data is on a server (call it server 'A') and users connect to that server using a desktop-based rich client. The rich client also allows the user to connect to some other server (call it 'X'), that is completely unrelated to server A.

Question: The user has logged into server 'X' from the rich client, and so the rich client has the right cookie to authenticate against server X. Now, the user makes an invocation on server A, which requires server A to go out and get some data from server X. Is it possible to somehow circumvent having server A to authenticate against server X given that the rich client has already authenticated against server X. Is there some way to share the cookie (with server A acting as the second client)? Or some way to have server A forward server X's authentication request back to the rich client and having it resolve against the cookie in the rich client. BTW, we use apache's HttpClient.

I am not very knowledgeable about server interactions, but am trying to gauge how easy/hard or common/rare is it to do something like this. Is it even possible to do this in a secure manner?

Answer 1

On a basic level, all HTTP communications are text data being passed back and forth between a client and a server. So, if you extracted the cookies from the Server X response and passed them in the request to Server A, then as long as A understood to extract the cookie data and insert the cookies into a new request to Server X, you would be successful in achieving what you are asking.

In a nutshell.. cookies are simply text data that gets passed back and forth between servers and clients. You can grab that data and pass it wherever you like. (you'd probably be breaking a lot of security best practices, though)

However... many servers are getting smarter about request forgery attacks and the fact that the remote host, client ip, etc... are different may invalidate the request or at least alarm Server X. So test thoroughly on all test/stage/prod platforms before making any blanket assumptions about the viability of the strategy.

Answer 2

If you control the behavior of the "rich client" then yes, sure. Just look at what cookies you have for the server you're about to access, if it includes your user login tracking cookie you're set, if not, look at the cookies for the other server and copy any user login tracking cookie that you have there, if it exists, into the cookie pool for the request you're about to make for that server.

Presumably, because you're trying to share users, the two servers share a user database that has common userIDs or other hashes which you're using in these cookies.

If on the other-hand, the only user tracking you have in place now is essentially session based, where the cookie contains a hash for the session and that session is stored on the server side, then unless the two servers share the session store, you will not be able to simply hand off identical cookies from the client side.