tags:

views:

39

answers:

4

I have 2 applications, each in different domains. When a user comes to the first application, clicks a link, the user is sent to the second application.

My problem is as follows: I need to persist a sessionId from the first application to the second application. Simple enough but here's the catch. I can't use query string and I can't use cookies(since in different domains). I was thinking, is there a way to insert custom values into HTTP Headers or set some form values on an intermediate page which would then POST to the second application? So the process would be as follows:

User clicks a link on the first page, this takes the user to an "intermediate" page, this "intermediate" page sets a sessionId value in the form or http Header, then the "intermediate" page sends the user to the second application via a POST where the app will have the sessionId.

I can't use a Server.Transfer since the app is not on the same server. Help?

A: 

This is how Microfot tried to do it Does Issuing Passports Make Microsoft a Country?.

Nick
A: 

One way that you could do it is to use webservices. Before the user is to switch sites, you could give the user an unique authentication token that has been agreed upon prior to leaving.

Another thing you could do (this is not a great solution, but it works) is to use frames, and to send the child frame information through javascript (login information). I really don't like this method, because it presents so many problems that its best avoided.

What I mean:

  • Web services: Communicate with the other site to say "this user is currently logged in here," you can do this at login (depends how much you trust the other domain), or you can do it when the user requests to leave
  • Giving the user an authentication token: You can post it as a form element. Or if you had an agreement with both domains you could send it to a URL that could later be interpreted as a rediection service+authentication token confirmation portion. I.E.: domain.com/page/token+pageid-mixture
monksy
A: 

You could try and make a secure SOAP or XML request with a secure token referencing a session id you stored for the user in a shared database. You could then load the user's session based on that session id stored in the db if a match is found.

cballou
I hope I got this correctly, but basically store the user's info info in the database and pull it based on a sessionId which is sent via SOAP/XML. The only thing I'm missing, how does the sessionId from the first app get persisted to the second app so the SOAP call can use the referenced sessionId? I might be missing something.
iratz
You could store all session data using base64 encoding along with the session id in the database. You would look up this data based on your unique token. You would then create a session on site2 using the same session id and populate with the stored data. If you used the database to store sessions you could perhaps skip this step and simple reuse the session id.
cballou
A: 

Use OpenID. It's designed for this purpose (common authentication to web sites on multiple domains). The protocol's been under development for years and has probably encountered and solved a lot of the problems you'd be likely to run into if you roll your own solution.

Ben Dunlap