We have a multi-domain platform that uses a central domain for authentication and api operations.
API & Authentication + Account Management
https://example.com
Read Only + Widget Actions
http://example.comhttp://example.nethttp://example.org
I've read most(if not all) of the StackOverflow questions concerning this type of setup, but couldn't find insight onto this concern. ( Most q&a's on this have been on general principles involved, little on the particulars ).
We're using Porthole.js (a javascript iframe proxy library) to push API calls between https://example.com and the other domain names. Everything works perfectly.
I'm trying to wrap my head around 'login state' and persisting user data for customizing javascript.
Looking at how sites like StackOverflow itself is modeled, my first thought was this:
- cache login status + customization data ( username, photo, etc) + cookie data in localStorage on
https://example.comfor 10 minutes, or until logout. after 10 minutes, the cache will hit the server's API to update. - on first hit to a network site, query the remote localStorage. if they are logged in, proxy back the login status , customization data , and http (not https) cookie ids. this data is then considered 'fresh' for 10 minutes, or until logout.
- the cookie from
http://example.comis cloned onto the requesting domain, replacing that session. this allows me to use a single cookie / id across domains.
I'm mostly worried about that last step - cloning the http cookie - even though it's only used for tracking and 'preview' access. But this whole system relies on browser security models , and I might be missing something. It seems like an elegant and 'just-as-secure' mechanism as if I used an AuthTicket model ( user visits https://example.com/auth-request?destination=http://example.net/auth-response , is redirected to http://example.net/auth-response?nonce=VERYBIGNUMBER ) or made a transparent oAuth request within an iframe.
Can anyone shed light on apparent/obvious security concerns that I missed , or does this seem as secure as the alternatives ?
