3

My web app has a bookmarklet feature similar to that of Pocket in that while you are visiting any webpage, if you click the bookmarklet, it will save that page to your account for later viewing.

Also similar to Pocket, you must be signed in for it to work, otherwise it won't know which account to save it to and it will prompt you to log in.

I have my web app already set up so that when you visit my domain it knows if you are logged in or logged out, but my problem with the bookmarklet is that it doesn't have access to the auth data from my web app's domain, so the bookmarklet think it's not logged in.

What do I need to do for my bookmarklet to know if the user has already been logged in or not?

nodebase
  • 2,510
  • 6
  • 31
  • 46

1 Answers1

3

Your bookmarklet could make an ajax request to your server like below (you will have to allow cross-origin requests on your server to send data back, see http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). It is important to have the withCredentials set to true so that the user's session is sent to your server and your server can verify the user's authentication status. Note that the code below uses jQuery. For more details and details on how to do this without jQuery, I would highly recommend this: http://www.html5rocks.com/en/tutorials/cors/

$.ajax({
    url: your_url,
    xhrFields: {
        withCredentials: true
    }
});
winhowes
  • 7,845
  • 5
  • 28
  • 39
  • I don't understand. I am to invoke the AJAX call with the proper URL, and then what? – nodebase Feb 23 '15 at 06:13
  • If the user is authenticated to your site, the session cookies will be sent to the server and used to authenticate the user. If the user is not authenticated, the session cookies will not be sent and you can tell the user in the response that they were not authenticated. Does that make sense? – winhowes Feb 23 '15 at 07:01
  • On my server-side, how do I recognize the session cookie? – nodebase Feb 23 '15 at 07:13
  • The same way you do when they interact with the server from the website. Basically, there is no difference on the server side other than you might need to enable CORS – winhowes Feb 23 '15 at 07:17
  • To enable cors in php, checkout http://stackoverflow.com/questions/14467673/enable-cors-in-htaccess – winhowes Feb 23 '15 at 07:17
  • I'm using Firebase as my datastore, and for authentication. Does Firebase support CORS? – nodebase Feb 23 '15 at 08:20
  • From a brief search o their site, it appears the answer is yes: https://www.firebase.com/docs/hosting/guide/full-config.html – winhowes Feb 23 '15 at 08:43
  • That seems to be for their proprietary hosting services only. I have my own hosting. – nodebase Feb 23 '15 at 08:47
  • You'll have to check with your hosting. But if you can add the header of the response, you're good to go. Mozilla's developer network has great info on this with examples: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#The_HTTP_request_headers – winhowes Feb 23 '15 at 08:58
  • If I am to send this session data to my server and store it, then later, when the bookmarklet is clicked, I can ask the server if this user is authenticated. Is that correct? That doesn't seem secure. – nodebase Aug 02 '15 at 17:50
  • That's correct. It wouldn't be secure if it was that way by default, but you're configuring your server to allow for that to happen. A better and more secure way to do this is to build a browser plugin instead of a bookmarklet, but that's a different animal – winhowes Aug 03 '15 at 17:01
  • I have a plug-in but I want a bookmarklet, as well. – nodebase Aug 03 '15 at 17:03
  • Yeah, well that's the only way to do it for a plugin unless the plugin opens a hidden iframe that is the same domain as your site and communicates via message passing through the iframe – winhowes Aug 03 '15 at 17:05
  • Are you sure that's even possible with an iframe? I feel like that's not allowed either. – nodebase Aug 03 '15 at 17:05
  • yep, it is see: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage – winhowes Aug 03 '15 at 17:11