dtwxt88240 2014-03-24 21:51
浏览 104
已采纳

如何在iframe中启动有效的用户会话

I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.

Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).

Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.

I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.

I've sketched a quick diagram to better show what I mean/need:

a busy cat http://gettaxi.me/public_img/help.png

I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).

Idea list so far:

  1. I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.

  2. Same as above but store it in Master Site session variable.

  3. The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...

I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?

Additional questions:

  1. Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?

  2. If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?

Thanks in advance!

  • 写回答

1条回答 默认 最新

  • dongtao6842 2014-03-31 09:02
    关注

    Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.

    1. User logs in to Master Site
    2. Validate credentials
    3. Generate a random client token
    4. Encrypt the password with that token and store the crypto in a session variable
    5. Set a cookie and store that token in users browser

    jQuery actions when Link to Site 1 or 2 is clicked:

    1. Send an ajax request to server with that token
    2. Validate user session and decrypt stored password on success
    3. Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
    4. Submit that form with target="iframe"
    5. Clear those form pre-filled form fields

    Vuala, a working cross-domain iframe auto-login...

    Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.

    Update:

    Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.

    Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 使用ESP8266连接阿里云出现问题
  • ¥15 BP神经网络控制倒立摆
  • ¥20 要这个数学建模编程的代码 并且能完整允许出来结果 完整的过程和数据的结果
  • ¥15 html5+css和javascript有人可以帮吗?图片要怎么插入代码里面啊
  • ¥30 Unity接入微信SDK 无法开启摄像头
  • ¥20 有偿 写代码 要用特定的软件anaconda 里的jvpyter 用python3写
  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角