We have a multi-domain platform that uses a central domain for authentication and api operations.
API and Authentication + Account Management
Read Only + Widget Actions
http://example.comhttp://example.nethttp://example.org
I read most (if not all) StackOverflow questions regarding this type of settings, but could not find an understanding of this problem. (Most of the q & a on this was based on general principles, few on the details).
We use Porthole.js (javascript iframe proxy library) to make API calls between https://example.com and other domain names. Everything works perfectly.
I am trying to wrap my head around the "login state" and persistent user data for javascript customization.
After seeing how models like StackOverflow are modeled, my first thought was this:
- login status + settings data (username, photo, etc.) + cookie data in localStorage at
https://example.com for 10 minutes or before logging out. after 10 minutes, the cache will go to the server API for updating. - when you first get to the network site, request a remote localStorage. if they are logged in, the proxy returns the login status, settings and http (not https) cookie IDs. this data is then considered βfreshβ for 10 minutes or before logging out.
- The cookie from
http://example.com cloned into the requesting domain, replacing this session. this allows me to use one cookie / id per domain.
I am mostly worried about this last step - cloning the http cookie, although it is only used for tracking and viewing. But the whole system is based on browser security models, and I can miss something. This seems like an elegant and βsafeβ mechanism, as if I were using the AuthTicket model (user visits https://example.com/auth-request?destination=http://example.net/auth-response are redirected to http: //example.net/auth-response?nonce=VERYBIGNUMBER ) or made a transparent oAuth request in an iframe.
Can I shed some light on the obvious / obvious security issues that I missed, or does this seem safe, as alternatives?
source share