Best way to securely set a session cookie on another domain
Question
We currently have 2 sites http://www.foo.co.uk and https://secure.foo.com .
The www site does not have an SSL certificate and is on a different domain.
We have a login button on http://www.foo.co.uk that when clicked opens up an iframe of https://secure.foo.com with a form, when the user logs in it creates a session cookie on that domain ( foo.com ).
The session cookie then needs to be copied to foo.co.uk so what it does is redirects you to http://www.foo.co.uk/setcookie.php?session=abcd1234 which allows us to set the same cookie on the origin domain.
This is not a very secure solution so I have been looking into how to make this better - the best idea I have found is to send a hash using something like hash_hmac along with the params to the setcookie.php script and then verify it on the other end before creating the cookie.
Whilst this is better it doesn't prevent man in the middle attacks. Bearing in mind that www is not SSL secured I don't think you can prevent this completely, so the next best thing would be to include a timestamp in the hash to make it valid for 5 minutes.
Does anyone have any ideas on how I can make this better, or point out any pitfalls with this approach? I would be most grateful.
1 answers
solution1
1 2012-10-24 16:05:37
You can have a shared secret between your 2 domains, and use a symmetric encryption algorithm to encrypt the cookie value, or set a public/private key in the insecure domain and make the secure domain to crypt the cookie using the public key of the insecure domain.
Also, bear in mind that encrypting the login process but transferring afterwards the session cookie over an insecure channel might allow an attacker to impersonate your users (see the firesheep Firefox extension for more information).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.