Cross-domain sessions, APIs and iframes

Question

I am currently building an API, that needs a username and password to work (obviously). There are two ways that I would like this API to be used:

1. The "normal" way through REST server-server calls using headers to authorize the user (working fine)
2. Or through a "third-party" using iframes.

With the second method I'm having a bit of trouble. To explain further the implementation is as follows:

1. The "operator" has a domain called https://example1.com and on this domain the operator would like to integrate my iframe that calls the above API

2. On https://example1.com I have added the below code

   if (session_status() == PHP_SESSION_NONE) {
       session_start();
   }
   
   $_SESSION['u'] = 'username_here';
   $_SESSION['p'] = 'password_here';
   

3. The operator includes <?=session_id();?> inside the iframe URL so say for example src="https://iframe.example1.com/?sid=<?=session_id();?>"

4. If the iframe AND the operator website are on the same server this works fine (obviously) as the session storage can be read from both parties, and then it will read: $_SESSION['u']; and $_SESSION['p'];, calls the API with the given username and password and retrieves the needed information.

5. If the iframe is held on https://example2.com (different server), the session data is then unreadable

What are some secure ways to pass through the username and password, while keeping the API as RESTful as possible?

Thank you in advance

Answer 1

I don't know if this could fit to your needs: Instead of call to your API from the iframe you could try to make an ajax request to your API from the "operator" domain (with the proper headers) and render the result into the iframe.

Inspired by: How to set custom http headers when changing iframe src?