Make users logged in another site (which is of a different domain) - javascript

I am working on internal website, which is used only within the company. The requirement for one of its pages is to log-in to our vendor sites (which are all on different domains).
For this I open these vendor sites within an iframe of the internal website.
Say,
Internal site: us.com
Vendor sites: foo.com, bar.com
On us.com/openvendor , there are two options: foo and bar. When a user clicks on foo, the iframe within the page opens foo.com in signed in state.
To achieve this, I replicate the login form of foo.com and post all the required parameters like username, password etc. to foo.com's page. I have all the usernames and passwords of different vendors stored in database.
Why do I do this? Because we don't want the users of this site(mostly our CRM team) to know the passwords (lest they use it to do unwanted and untracked transactions) and the activities done through us.com is recorded and saved.
So essentially, we enable users to login to any vendor site, just by clicking on a link.
This was working perfectly fine until one day, when I had to add a new vendor site which doesn't post an html form for authentication. This site (say whattodo.com) makes an ajax call to a url with login credentials, which returns back an authentication cookie. This cookie is then set by the site to make the user logged in.
Now how can I make my end users login to whattodo.com on a click?
I cannot make the ajax call to whattodo.com
Even if I overcome the above problem by storing the auth cookie value in my database and updating it monthly(ya that's when the cookie expires), I cannot set this cookie under whattodo.com domain in the user's browsers.
Please suggest a possible solution.
And please feel free to edit the title. I'm sure there's a better one to summarize the question.

Related

Is there a way to perform a "Submit" function outside of the website?

I am trying to figure out if it is possible to click on a button on the Amazon website from outside of the website.
For Example: At the bottom of every product review is a "Helpful" button. If a review was helpful, the reader/shopper can click this button to let the reviewer (and Amazon) know that the review was helpful. (It's basically a "Like" button).
What I'm trying to accomplish:
I want to post my reviews on my own website/blog and still obtain "Likes" without asking readers to click a link to a product page, then search for my review, then click the button.
You probably won't be able to do what you have in mind.
JavaScript can generally access information on another domain except if specifically configured in the origin website through CORS. Unless you own amazon.com, you won't be able to configure amazon's CORS headers to make them accessible to some JS running on your website.
You can however, from your website front-end, make a request to your website back-end that would be able to access amazon's data just like your browser does. Using a browser emulator like Puppeteer, you'll be able to launch an amazon page and programmatically retrieve infos, click on things and do other stuff.
However, the page that Puppeteer will be able to spin up will include credentials (cookies, localstorage content, auth token, etc) provided by your server, so Puppeteer will not see the same amazon.com your user sees on his browser, unless your user agrees to give you its amazon credentials, and at this point I'm pretty sure no user would do that, and that would not be authorized by amazon's terms of services.
TL;DR even if what you have in mind is not impossible, it would weeks for your and your team to code a system that would potentially allow you to do that, and that's provided the law is on your side, which is probably not the case.

Admin, Teacher and Student, if a student is not logged out and you open a new tab trying to access admin you will bypass login

I have created a project as that has admin, teacher and student. They all have login forms and redirect to different based on who logged in, thus i have 3 folders student folder, admin folder and teacher folder and afer each one login the page will take them to the appropriate pages in their folders but without destroying the session it redirects user to the contents of admin pages. Personally i think it is because i put
session_start();
if(!isset($_SESSION["username"])){
header("location:index.php?action=login");
}
to each page. please help what can i add to make sure that each individual user can access what they are required to access
You have at least 2 issues here:
You assume that opening a new tab should not share the session with other tabs. I don't remember the details on PHP sessions. But, afaik, the state is stored on the server, and it uses some magic such as cookies to figure out what is the session that you are using. Problem is that two different tabs will hardly start a new session. In fact, the only possibility I see is if the session id is passed along with each request as a url or a header - then you can pick the correct session... which is pretty seldom used because use cases where such approach is needed are limited. (tbh, running 2 different sessions in 2 tabs is not a very real scenario). If you really want to run separate sessions on the same machine, you can try to run several incognito windows.
Second, more important issues, is the logic behind your application. Possibility of going to any page, once you have passed a login for any of the users means that the ritual of providing 3 logins into your system is totally useless, since there are no internal checks if the user is having rights to go to one or another page. Proper thing to do, is, once you logged in, to store the role (student, teacher, admin) as a session parameter. Then, on each page you should verify not only that the user name is set, but that stored role matches the role definition needed to view this particular page. If role does not match, then you should handle it appropriately. You may log user out, or display an access error message and provide a link tor redirect to allowed page.

How to know an ip address has viewed all the links?

Suppose, I have 200 links and if the visitors visits continuously all the links then I want to offer a free pdf book
after last link but if someone directly visits last link then offer should not display.
In this case the user may visit the site per month or any long time to complete the tutorial site (this site) and the
user may delete the cookies so I should not use local storage or something like that.
So, I'm pulling an option with the users' ip address and if that ip's users completes the whole page visit the offer should be displayed.
So, how to decide if an ip address has viewed all the pages and if the user is at last link then display offer.
Does it have a login feature? If so I would track page views by url and userId.
The shortcoming of ip address is that different people using the same computer will count towards the same tracking. Also, you will not get credit if you visit the site from two different locations.
It is not possible to track the information with only the ip address. The IP address can change everytime the user reconnects to the internet e.g. reboot router. You will have to provide user login feature so you can associate the link visits with that user account.
The usual way to do this would be as follows using some server-side storage:
When a browser hits your server on any of the pages you are tracking, you see if there's already a tracking cookie in the browser. If not, you coin a unique ID for this browser and put it in a cookie that you set into that browser. Make sure the path allows visibility of the cookie anywhere on the site and set the expiration for however long you want.
In your server-side database, create an entry for this cookie ID and record that the page that was just hit has now been seen by this cookie ID.
On any subsequent page hit, get the cookie ID, look it up in the database, record that this page has now been viewed by that ID and check if all the required pages have now been viewed by that ID. If so, add the special offer to the delivery of the current page.
Using a cookied ID like this avoids issues with multiple browsers sharing a single IP address (which even happens on home networks and happens all the time on corporate networks).
If your site has a user login, it's even better to use the login ID as the user identifier because that allows you to accumulate the browsing history of the user even if they use multiple browsers/multiple computers as long as they login first.
FYI, some of the logic above can also be implemented via ajax calls made from the client upon each page load rather than work done at the time of serving the page - though this adds an extra server request for each page.

How to start a valid user session inside an iframe

I need to setup a Master Site that would embed Site 1 and Site 2 in iframes, login and start user sessions within them.
Site 1 (RoR) and Site 2 (unknown framework) has got their own authentication (username, pass, cookies, usual framework security).
Master Site (PHP) server has direct access to Site 1 database and I know the password hashing algorithm so I can validate Master Site's login password against Site 1. Site 2 can get their passwords to be changed accordingly if needed, but no access to db nor framework.
I cannot change anything in either Site 1 or Site 2, unfortunately. I can only build around it though full read access to Site 1 is present.
I've sketched a quick diagram to better show what I mean/need:
a busy cat http://gettaxi.me/public_img/help.png
I need to start a user session inside an iframe. The login credentials of Site 1 are identical to Master Site's as they come from the same db, credentials for Site 2 will be assumed same (might just show login failed if they're not).
Idea list so far:
I could record the login credentials into Master Site cookie and use it to populate the iframe fields. Maybe store an encrypted version and decrypt when needed? But still, storing a password in cookies (even encrypted) seems absurd.
Same as above but store it in Master Site session variable.
The idea of cross-domain cookies seem useless here because every site has to set it's own session cookies, one website can't set it for another...
I've never dealt with anything cross-domain like this so before. So before I go and start coding things like a mad man that might or might not work - I turn to you for help and advice! How would you go about accomplishing this? Is this possible at all?
Additional questions:
Do cookies set by Site 1 and 2 from within iframes behave the same? Are they persistent and if I'd open the same website NOT in an iframe later, would they be accepted?
If storing credentials (cookies/session) is the only way to go: how would I then populate the login fields in an iframe and submit the form? Javascipt? Some neat GET/POST/redirection trick?
Thanks in advance!
Ok, it turned out to be quite simple. And to stick it to the downvoters ... face - I'll post my own solution here, who knows, maybe someone will find it useful.
User logs in to Master Site
Validate credentials
Generate a random client token
Encrypt the password with that token and store the crypto in a session variable
Set a cookie and store that token in users browser
jQuery actions when Link to Site 1 or 2 is clicked:
Send an ajax request to server with that token
Validate user session and decrypt stored password on success
Send the password back to client and pre-fill username and password fields of a hidden form that mimics the iframed website's login form
Submit that form with target="iframe"
Clear those form pre-filled form fields
Vuala, a working cross-domain iframe auto-login...
Of course there's more going on like hiding, unhiding divs on button clicks, session timeouts, token expiry renew upon any user action and so on, but the main thing is that it works! Yes, the password is sent in plain 3 times but none of those websites have HTTPS in place anyway. The password is not stored in plain either.
Update:
Spoke too soon. There are issues with IE and Safari when iframe content returns Access-Control-Allow-Origin headers. Their stronger security policies treat iframe content with caution and do not allow session cookies to be saved. It can either be fixed by dropping privacy setting by a notch in IE, allowing 3rd party cookies in Safari or simply detecting the browser and if it's one of the above - open it in a new tab/window.
Otherwise, works fine in: Chrome, Firefox, Opera and Maxthon

Facebook Connect for one application with multiple domains?

I'm implementing a plug-in that's embeddable in different sites (a la Meebo, Wibiya), and I want to use Facebook Connect. The plug-in is supposed to be embeddable in sites with different domain names. Problem is, Facebook connect allows only one domain per application you register.
The question is, how can I have multiple domains for a single Facebook application, assuming:
When users "Allow" the application on one site, they won't have to "Allow" it on other sites as well.
Preferably, after the initial log-in, users won't see a pop-up opening on every site they log-in to (i.e. - I'd rather not open a link to my domain and do the log-in process from there).
Is there anyway of doing that?
If not, is my only option is to manage all the log-ins from a single domain and pass the cookies back to the original domains?
And if I pass the cookies between domains, how can I be sure that Facebook won't block this kind of behavior in the future?
I'd appreciate any suggestions, though I'd prefer an official solution over hacks, if at all possible.
Im assuming you are using facebook.php by Naitik Shah? Your widget would need to be on every page of course and include the async script connect-js.
I am currently developing a facebook login based application myself.
I would say the best solution is too login through your own domain and pass the cookie. Your app/widget will be the only one they allow to share information with. Nothing should be different in operation from a single page solution. I envisage a PHP plugin which executes a login from an outside domain and passes through the cookie to the site via the widget. return the cookie securely how you wish (except for something dodgy like storing it in a div and retrieving it..or something a hacker could try to spoof). the site will then use the cookie for account and user id purposes and the widget will control all login actions and session finding using the async script (but routed through a different domain).
Sorry I can't be more help but this is the only solution I can think of, and it seems you have already anyway.
In terms of keeping session control across different domains you only need the 3rd party cookie to be active. Once your page is activated for your domain you will already have the cookie for that domain if you haven't logged out or it hasn't expired. A benefit of using an outside management domain.
It would seem this is also the most reliable way compared to any successful hack for multiple domains, because I would see fb and Oauth2.0 as being ok with an approved party sharing info (cookies) to another party approved by the approved party. But.. It could be problematic if they think the user will have privacy issues, because you could potentially share the cookie on any site without the users permission. So you have to be careful about notifying the user about all the sites they will be auto logged into and treating them with respect.
Good luck with it, hope you let us know how it goes.
There is easy and clean technique -> Single Sign On (SSO). You can search on about it.

Categories

Resources