0

I have a slightly strange scenario, but a problem that needs solving all the same!

Please note, the websites described below are on different top level domains

I have two web applications, 1 ASP.NET MVC, and another in PHP, both on separate domains. Lets call them asp.com and php.com. Users authenticate on asp.com, and therefore have an authcookie set by ASP.NET.

Now the php.com website fetches data via a rest service from asp.com. This rest service authenticates via the same mechanism, so when I call this rest service via javascript JSONP from php.com it works fine. However I wish to call the same REST service from the server in PHP.

Is it possible to somehow get the asp.com website to copy and set an authcookie for php.com (the domain is known and trusted), and then in the PHP code pass this cookie on to athenticate against the REST service on asp.com?

It doesn't need to be the exact AUTH cookie, I could create a new cookie with the relevant session key, an long as a valid authcookie could be created and submitted to the REST service.

Questions

  1. Is this possible?
  2. How do I set the cookie for php.com in asp.com?
  3. Short of one of the domains becoming compromised, are there any security concerns?
Paul Grimshaw
  • 19,894
  • 6
  • 40
  • 59

1 Answers1

1

  1. No

  2. The first site, asp.com, will have to redirect to a page in php.com. Then php.com can set the cookie itself, and redirect back to asp.com.

  3. Yes, which is why you can't do it.

Also, see this answer.

Community
  • 1
  • 1
John Wu
  • 50,556
  • 8
  • 44
  • 80
  • That saved me a lot of pain trying to get it working. I will work on the redirect option – Paul Grimshaw Oct 16 '15 at 07:54
  • Regarding point 2. Is it possible, assuming the relevant info is passed via the URL to php.com, to rebuild the auth cookie in PHP for the rest request? – Paul Grimshaw Oct 16 '15 at 09:28