从外部站点发送脚本时的用户登录会话

Question

I'm working on a bookmarklet solution with similar functionality as Instapaper (bookmarklet functionality that is, not site functionality).

For my first bookmarklet version I sent the user to mysite.com/add.php?url=[url], which then did what I wanted to do (added url to the database, etc) in the backend as long as the user was logged on to my site since before (session kept alive using cookies). The user then had to press a back button to return to the original site. This worked as intended.

Now I want to let the user remain on the original site (as the instapaper bookmarklet does) while I do the backend stuff in the background, therefore:
- The bookmarklet now appends a javascript function to the original site
- The javascript uses a form and submits the URL to mysite.com/add.php with url as a variable (add.php is unchanged)
- I output status from add.php into an iframe that appears on the orignal site

This works so far that the url is sent to add.php, while the user remains on the original site, and the status is printed in the iframe I temporarily display on the original site.

However, from the scripts point of view the user no longer appears to be logged on, even if he/she is when mysite.com is accessed directly. I'm using this login system (http://www.evolt.org/node/60384).

Can you point me in the right direction? Let me know if you need more info.

Thanks

Answer 1

Are the cookies actually being sent to the add.php file? Have you checked with any sort of dev tools or tried `var_dump($_COOKIE)"?

What browsers have you tested it in?

Off of the top of my head from what's given, I'd guess this is the browser's doing as a security precaution - otherwise any site could include an iFrame, and through JavaScript start performing actions as you on some other site without your knowledge.

Looking around, I did find this potential workaround that specifically refers to IE7, but I have no idea if it relates to your issue as I don't know if this is only an IE issue for you.

Answer 2

Since I get this to work in IE, but not in Firefox or Chrome, I'm leaning at the conclusion that it's due to the browsers security precautions, and that I won't get it to work by only using php session.

I've therefore come up with an alternative solution to what I want to achieve, that I want to run by you.

Please comment:

1) When a user register at my site, I create a random unique static identifier (RUSI) for that user (ie not the username or hashed pwd)
2) I append this RUSI to the bookmarklet code (meaning the bookmarklet can only be added while the user is logged in to my site)
3) When the user press the bookmarklet, my script checks what username the RUSI corresponds to, and checks if that username is in my active_user table (that consists of all logged in uers)
4) If the username exists in the active_user table, then the bookmarklet does what it supposed to do, otherwise i print "please login" or similar.

As said, please comment on this solution, as I have a hard time figuring out if this is a good or really bad approach. The obvious down side is of course that a user who finds out another users RUSI can execute the script on his/her behalf as long as he/she is logged in.

Thanks.