Passing Username and Password with IFrame

Question

I have a question in mind.

Is this possible?
I need to put the login page of our other site into an iframe. and when logged in you will see a graph.

What I need is when I click the hyperlink is it will show the page in the iframe but autofill and auto- logged in the account so that what they will see is not the login page but the graph inside it.

Is there a way to pass the username and password in the iframe and trigger the logged in button or auto logged in?

Can do this in PHP or jquery?

Regards to all and thanks in advance.

Answer 1

Do not expose the password rather create a unique key you can send over with them to authenticate them on the page that will be displayed in the iframe. This assumes that both systems are aware of the user and the unique key.

When you setup the iframe you can set its source to include some URL parameters:

<iframe src="http://example.org/api?key=<?php echo $unique_key; ?>">

This will get you around cross domain issues that a javascript method of doing this would throw up.

Answer 2

The only caveat in Treffynnon's answer is that it requires you to have access to both systems to create a sort of "login code" web service that the two can use to communicate. If you only have access to the first site (the one that you want to include the iframe on), what I would do is the following (please note that this is not as secure as Treffynnon's answer):

1. load the page without the iframe
2. using ajax, query your server (over SSL!) for the username and password that you'll need to submit to the other server.
3. dynamically create your iframe, populated with a form that is basically identical to the login form on the other server, submitting with the same "method" to the same "action" as the other form. Then dynamically submit it. This should set the appropriate login cookies on the client so that they are logged in. Make sure you use SSL everywhere.
4. dynamically redirect the iframe to the page that has the chart you want to see.
5. obliterate any javascript variables that held secure login information.

Potential issues:

• Some login processes are extremely finicky, and may be impossible to log in with using this method.
• You're dramatically increasing the number of attack vectors on your site. For example: step 2, querying the login credentials, assumes that your security is adequate to prevent people querying for data they shouldn't have access to.
• All of this assumes that it would be OK for the end user to access the login credentials, say, they have one username and password that they use at both sites. If you have 1 site-wide login that you're using to give your end users access to something they wouldn't otherwise get, then this will expose your login details to all of your users and you shouldn't do it. In that case, your only option is to do something completely on the back end. If you have access to the code for both sites, use Treffynnon's suggestion, otherwise you'll have to access and download the chart on the back end and re-display it for your users.

Answer 3

The first what you can try, is sending the username and password with GET method in iframe. Like src=yourscript.php?user=me&pass=secret so you can try to auth the user on the other side.