tags:

views:

39

answers:

4
Q: 

Persisting data cross domains?

I have 2 applications, each in different domains. When a user comes to the first application, clicks a link, the user is sent to the second application.

My problem is as follows: I need to persist a sessionId from the first application to the second application. Simple enough but here's the catch. I can't use query string and I can't use cookies(since in different domains). I was thinking, is there a way to insert custom values into HTTP Headers or set some form values on an intermediate page which would then POST to the second application? So the process would be as follows:

User clicks a link on the first page, this takes the user to an "intermediate" page, this "intermediate" page sets a sessionId value in the form or http Header, then the "intermediate" page sends the user to the second application via a POST where the app will have the sessionId.

I can't use a Server.Transfer since the app is not on the same server. Help?

A: 

This is how Microfot tried to do it Does Issuing Passports Make Microsoft a Country?.

Nick  2009-11-10 17:57:28
A: 

One way that you could do it is to use webservices. Before the user is to switch sites, you could give the user an unique authentication token that has been agreed upon prior to leaving.

Another thing you could do (this is not a great solution, but it works) is to use frames, and to send the child frame information through javascript (login information). I really don't like this method, because it presents so many problems that its best avoided.

What I mean:

  • Web services: Communicate with the other site to say "this user is currently logged in here," you can do this at login (depends how much you trust the other domain), or you can do it when the user requests to leave
  • Giving the user an authentication token: You can post it as a form element. Or if you had an agreement with both domains you could send it to a URL that could later be interpreted as a rediection service+authentication token confirmation portion. I.E.: domain.com/page/token+pageid-mixture
monksy  2009-11-10 18:06:46
A: 

You could try and make a secure SOAP or XML request with a secure token referencing a session id you stored for the user in a shared database. You could then load the user's session based on that session id stored in the db if a match is found.

cballou  2009-11-10 18:08:59
I hope I got this correctly, but basically store the user's info info in the database and pull it based on a sessionId which is sent via SOAP/XML. The only thing I'm missing, how does the sessionId from the first app get persisted to the second app so the SOAP call can use the referenced sessionId? I might be missing something.
iratz  2009-11-10 18:15:51
You could store all session data using base64 encoding along with the session id in the database. You would look up this data based on your unique token. You would then create a session on site2 using the same session id and populate with the stored data. If you used the database to store sessions you could perhaps skip this step and simple reuse the session id.
cballou  2009-11-10 18:42:09
A: 

Use OpenID. It's designed for this purpose (common authentication to web sites on multiple domains). The protocol's been under development for years and has probably encountered and solved a lot of the problems you'd be likely to run into if you roll your own solution.

Ben Dunlap  2009-11-10 18:15:20

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.