Reputation: 4236
Best way of validating session in other-domain iframe
I have a site A, which embeds modules in an iframe B. The modules may be other-domain. The user has an authenticated session in A, and I want B to refuse to load unless the user has a valid session in A. B does not need to know anything beyond the fact that the user has an authenticated session with A. No session data is needed.
At the moment, neither A nor B are behind HTTPS, but I am looking to change that once I can convince the people upstairs to buy an SSL certificate.
So, I've thought of two quite different schemes to accomplish this in a secure fashion, but I am uncertain which of them will work better, so I am hoping to get some feedback here. Any help is appreciated!
Option 1
- A appends
?session=SESSION_IDto B's URL - The server-side script at B extracts the session ID, and executes GET
A/verify?session=SESSION_ID - A replies with 200 OK or 403 Forbidden
- If the reply from A was a 200, the user is considered authenticated is allowed access to B
Upsides
- Easy to implement
- No shared configuration necessary (apart from A's URL, which B already knows)
Downsides
- B must contact A, which increases loading time
- Session IDs are supposed to be secret - shouldn't really be passed around
- Susceptible to replay attacks (for as long as the session is valid)
Option 2
- A encrypts a data block containing a timestamp, A's URL, B's URL and a salt with a key shared between A and B and appends it to B's URL
- The server-side script at B decrypts the data block, verifies the URLs and checks that the timestamp isn't too old
- If everything checks out, the user is considered authenticated and is allowed access to B
Upsides
- No server-server communication
- Session ID is never transmitted to B
- Not susceptible to replay attacks (beyond the time delay allowed for the timestamp)
Downsides
- More complicated to implement
- A and B need to be somewhat time-synchronized
- A and B need to share a key
Upvotes: 3
Views: 884
Answers (1)
Reputation: 64536
Option 3
A generates a random hash and stores it in a database table along with the session ID (two fields). A passes the hash to each URL for B like `B/?hash=x'
A checks if the hash matches any in the database table and also checks if the session ID is still authenticated (might have logged out or expired) then tells B if it's good or not. Like A/verify?hash=x.
As you say, B doesn't need to know anything other than if it's authenticated or not.
This way no session ID is passed around in the URL which again as you say is not ideal.
Upvotes: 2
Related Questions
- Foolproof way to detect if iframe is cross domain
- Foolproof way to detect if this page is INSIDE a cross-domain iframe
- How to restrict an iframe to a specific domain
- How to start a valid user session inside an iframe
- Internet Explorer Cross Domain Iframe Login
- Making a Same Domain iframe Secure
- Authenticate websites that are using my service through iframe
- Cross domain authentication across an iframe without login
- Detect when iframe is cross-domain, then bust out of it
- (HTML/javascript) Handling a cross-domain iframe