dtwxt88240 2014-03-24 21:51
浏览 104
已采纳

如何在iframe中启动有效的用户会话

I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.

Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).

Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.

I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.

I've sketched a quick diagram to better show what I mean/need:

a busy cat http://gettaxi.me/public_img/help.png

I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).

Idea list so far:

  1. I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.

  2. Same as above but store it in Master Site session variable.

  3. The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...

I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?

Additional questions:

  1. Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?

  2. If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?

Thanks in advance!

  • 写回答

1条回答 默认 最新

  • dongtao6842 2014-03-31 09:02
    关注

    Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.

    1. User logs in to Master Site
    2. Validate credentials
    3. Generate a random client token
    4. Encrypt the password with that token and store the crypto in a session variable
    5. Set a cookie and store that token in users browser

    jQuery actions when Link to Site 1 or 2 is clicked:

    1. Send an ajax request to server with that token
    2. Validate user session and decrypt stored password on success
    3. Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
    4. Submit that form with target="iframe"
    5. Clear those form pre-filled form fields

    Vuala, a working cross-domain iframe auto-login...

    Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.

    Update:

    Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.

    Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 下图接收小电路,谁知道原理
  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探