0

I have a simple login form that lets users log into my website. Once logged in, there is a 3rd party site that I link which users can access and run searches on (its a database resource that we are partnered with). The problem is in order to access that 3rd party database they first have to log in to THAT site with a simple passphrase (which is the same for every user) and get a cookie.

I'd like to simplify the whole process by running a jquery $get call to that 3rd party website when users sign in to my website so that they are authenticated with that 3rd party cookie and can seamlessly accesses the 3rd party database. Is that possible?

asolberg
  • 6,638
  • 9
  • 33
  • 46
  • Same origin policy says no... – gdoron May 10 '12 at 22:23
  • I thought the "same origin policy" says that functions and methods defined from one domain may access eachother but may not access functions and methods from other domains. I'm not trying to access another domain's functions or methods, I'm trying to instruct the client's browser to run a GET request to another website and pass the passphrase in the URL in order to receive a cookie. – asolberg May 10 '12 at 22:32
  • Have you looked at JSONP? http://en.wikipedia.org/wiki/JSONP – Duncan May 10 '12 at 22:47

1 Answers1

0

Such a call won't work due to preventing loading from third-party sites ('same origin policy'), but what about a simple, hidden iframe? Since you said you would use a get call, you should be able to make the same request from their browser in an iframe that is hidden.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • Interesting idea, I would not be opposed to a hidden iframe. One question though: You say that the request in the iframe would be allowed because it came from "their" browser. But that's the same case with jquery right? That's the whole model of javascript is that it runs from the clients computer. With Jquery I would be instructing their web-browser to make an HTTP GET request to a 3rd party URL and pass a passphrase in the URL in order to receive an authentication cookie. So why won't that work? – asolberg May 10 '12 at 22:36
  • jQuery is just Javascript, and as a security precaution, browsers enforce a "Same Origin Policy" on Javascript calls via the `XmlHttpRequest` object (which is what all Ajax requests go through). It's actually a standard all browser vendors observe, and doesn't only apply to XmlHttpRequest; it also applies to things like trying to access the DOM on a different website that might be loaded in a frame or tab. – Andrew Barber May 10 '12 at 22:41
  • One of the reasons is that an XmlHttpRequest enables not just `get` requests, but `post`, `put`, `delete`. It is to protect the *destination* domain that web browsers enforce this. Yes - you can still do `get` requests via frames, but that is needed for attaching content; and iframes aren't even required for that (you could just as easily load your "cookie page" as the `src` of an image, though that would be semantically incorrect to do) – Andrew Barber May 10 '12 at 22:44
  • Got it. And I also just found this which explains the policy: http://stackoverflow.com/questions/1830050/why-same-origin-policy-for-xmlhttprequest Thanks, I'll look into the hidden iframe. – asolberg May 10 '12 at 22:53