views:

37

answers:

2

I have a website that came with a SSL site for HTTPS but its on a different server. Example being

my website:

http://example.com

my SSL site:

https://myhostingcompany.com/~myuseraccount/

So I can do transactions over HTTPS and we have user accounts and everything but it is located on a different domain. The cookie domain is set for that one.

Is there a way I can check on my actual site to see if a cookie is set for the other one? And possibly grab its data and auth a user?

I think this violates a major principle of security and can't be done for good reasons, but am i wrong? is this possible?

A: 

I really hope you can't do what your asking.

Chris Lively
what if i have a way on the page on the real site (example.com) and I let the user give me their cookie for the other site (hostingcompany.com) then I check it and if its good I let the user on my site access to whatever I was hiding.
asdasda
+2  A: 

You can setup a service on either site to handle RPC via HTTP POST requests. You can make it require some sort of session that can only be created by your sites. However, whatever can be accessed over that shared session on the HTTPS site will have no guarantee of confidentiality or integrity.

Longpoke
sort of what i expected. the only reason im even considering this is because its not important data that is being hidden from everyone. it doesnt matter if its public, just for convienence its hidden. this whole shitty idea is just for convienence. some retards want something that i say is a bad idea, and they say but we want it, so i give it a try.
asdasda
+1 this is probably what I would do.
Rook