1

So we have a website hosted at www.website.com and another web app hosted at www.app.website.com.

The www.website.com is available for anonymous users and created using Wordpress.

On the other hand, www.app.website.com is a Html5 + AngularJs + C# Web API, that relies on cookie authentication.

Current scenario

  • A user visits www.website.com and clicks "login"
  • The browser redirects them to www.app.website.com
  • If they are authenticated then www.app.website.com redirects them to the authenticated users page
  • Otherwise, redirects them to the login page

Question

  • A user visits www.website.com
  • If they are authenticated, i.e., have a valid cookie, www.website.com should redirect them to www.app.website.com
  • Otherwise, they will stay in www.website.com until they press "login"

As far as I understand we can issue cross domain cookies but for security reasons we should prevent Javascript from accessing them.

With this in mind, what would be the best redirect strategy?

Edit: The issued auth cookies are HttpOnly.

JCS
  • 1,071
  • 2
  • 9
  • 24
  • did you try cookie with ".website.com"? Discussion is here: http://stackoverflow.com/questions/315132/how-do-i-use-cookies-across-two-different-domains – mkysoft Sep 13 '16 at 10:11
  • Thanks mkysoft! That will solve part of the question (issue a cookie for multiple domains), the remaining part (the redirect) is still open. – JCS Sep 13 '16 at 13:17
  • you can use js navigating: window.location = "anothersite.com" – mkysoft Sep 13 '16 at 13:38
  • The question is how to detect that we can redirect the user? – JCS Sep 14 '16 at 09:39

1 Answers1

0

You can check cookies with js: check cookie if cookie exists Wordpress use cookie which name is wordpress_logged_in_xxxxx for logged user. When detect cookie in js, redirect site.

Community
  • 1
  • 1
mkysoft
  • 5,392
  • 1
  • 21
  • 30
  • What if the cookies are HttpOnly? Surely they can't be access from javascript? – JCS Sep 16 '16 at 11:36
  • @JCS correct way (running with http or https) is building own plugin for this. Also there is open authentication already. May be you will make little change for working only with your system: https://wordpress.org/plugins/wp-oauth/ – mkysoft Sep 16 '16 at 18:16