views:

96

answers:

2

Suppose I have a machine M and a webserver S. From M, I would like to be able to visit a page on S which will log me into some site X (e.g., Gmail). However, I want this to happen without M ever handling any password details. Also, I don't want to use a proxy, but rather have the end result be as if M were actually visiting the site X logged in. To recap:

  1. On machine M, I visit a special page on server S.
  2. Server S logs into X and transfers cookies or whatnot to M.
  3. M never processes the password for X.
  4. End result is the same as if M had actually logged into X itself.

Is this even remotely possible? I understand that there are limitations on what cookies a website can set, etc., so transferring cookies may be an issue, but maybe this can be avoided if I also control the browser?

Note: You may assume that I have full control over S, and full control over the browser on M (probably Firefox). The server S, of course, knows the necessary password to X.

Please feel free to edit my title and tags as necessary as I find it difficult to categorize this question.

A: 

Do you know for sure that said sites don't map your cookie to the IP you logged in from, and force a re-login if it's not the same? If so, you might be SOL unless you want to proxy. If not, and your assumption is that M is keylogged and mouselogged, what's to imply that it's not also being packet sniffed (meaning your shiny cookie will be compromised, which, if the above is feasible, means someone could presumably still log in, albeit with a potentially limited window of opportunity).

But if you're going to be paranoid, let's be paranoid.

James
Thanks for your comment. Re IP address: that is a consideration. I don't know how many sites do that, but I actually think it's not too many (maybe banks). Re paranoia: yes, I understand that possibility.
A. Rex
A: 

Take a look at OAuth and OpenID. I'm not quite sure what you want but they may be right for you.

Thomas