I'm running into the following problem. A frontend website (www.domain.com) is used to fill in a form that belongs to the backend (backend.domain.com). This form is protected with a captcha, and the reference value for the captcha is saved in the user session (in PHP).
The submission should be Ajax based, which gives some problems with the cross domains. Therefore a wrote a little PHP proxy on www.domain.com. This proxy requests the form of the backend. When the user submits the form, an Ajax request is made to the proxy and the proxy sends a validation request to the backend and returns the result.
All of this works quite well, except for the captcha that saves the references in the user session. Since the frontend website submits the form to the backend, the backend will use a session for the frontend.
What would be the best way to fix this? I've came up with 2 methods. The first would be to include the reference of the captcha in the form (hashed), so that no sessions are needed. The other way would be to include the form directly from the backend, using an iframe. This second method will probably work fine, but it feels really ugly. What would you suggest for a situation like this?
Update: a sequence diagram describing the situation:
Client www.domain.com backend.domain.com
| | |
|-------visit site---------->| |
| |-----get form----->|
| |<----return form---|
|<------return form----------| |
| | |
|-------submit form--------->| |
| |-----submit form-->|
| |<----send reply----|
|<------captcha failed-------| |
v v v