Note that there are some explanatory texts on larger screens.

plurals
  1. POPass HTTP session for third party site from server to client
    primarykey
    data
    text
    <p>Let's say my web app is acting on behalf of users who give their credentials to my app so the app can make API calls to a third party service. Incidentally, this is for posting product offers to this third party site (bit like eBay, but on a smaller scale).</p> <p>Now one super convenient way to make this posting easy would be to reuse the sophisticated web form that third party service has to accept product offers for authenticated users. The idea is to populate their web form and redirect the client browser to it so the user can edit things there using the sophisticated and familiar web form. This would be the best user experience and the least implementation work.</p> <p>However, it is not a documented way to do it. What's more, it doesn't work in the simple way, like populating the form fields from request parameters (GET or POST). The web form just doesn't work that way.</p> <p>There might be an alternative. My app could open a session with the third party app on the user's behalf, submit all data so it is stored in their database, and then send the user's browser all the data it needs to take over the session that my server app opened on his behalf. Note that I haven't tried this yet; and I reckon it might fail if the third party app ties a session to an IP number (which, whether sound or not, an app might do).</p> <p>But wouldn't it be possible to have the server program opening the HTTP session write all the information needed to take over that session to an HTML/Javascript document and send that document to the user's browser, where the Javascript executes and assembles a request such as composed when using a browser on the third-party form directly, which I've been observing using HttpFox?</p> <p>All the information, that is everything HTTP; it's obviously not possible to pass the server's IP number to the client ... But all cookies and parameters. The Javascript executing in the browser would then have to use the information I'd be somehow passing in the document (probably in the script part) to compose a request to the third party web site that goes right into the session the server app has opened. This would mean that a document originating from my domain would set cookies (add request headers) to then have the user's browser execute that request.</p> <p>So in other words, is it technically possible to pass a session from the server to the client?</p> <p>How would you do it in Javascript?</p> <h2>Update</h2> <p>According to <a href="https://stackoverflow.com/a/6761443/269126">answers to another question: <em>You cannot set cookies for another domain. Allowing this would present an enormous security flaw.</em></a> Goes to show I'm not a frontend developer.</p> <p>Not giving up, yet. There's the <code>XmlHttpRequest</code> object. Maybe this can be abused for my evil purposes?</p> <h2>Second Update</h2> <p>So I experimented with <code>XmlHttpRequest</code>. Bad news (for me and this particular case): It appears it won't work using <code>XmlHttpRequest</code> either because (using the current Firefox) my nicely forged requests are rewritten according to what appears to be slated to become a <a href="http://www.w3.org/TR/access-control/" rel="nofollow noreferrer">W3C standard on Cross-Origin Resource Sharing</a>, so a <code>Cookie</code> header is simply removed and dummy headers <code>Moin</code> and <code>Gurke</code> are reduced to <code>Access-Control-Request-Headers: gurke,moin</code>. Now frankly, this is spoiling the game <em>big time</em>. I'm disappointed.</p>
    singulars
    1. This table or related slice is empty.
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
 

Querying!

 
Guidance

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload