0

I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)

Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.

Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?

NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!

Thanks -- Mike

Community
  • 1
  • 1
mixkat
  • 3,883
  • 10
  • 40
  • 58
  • You could do this with JQuery. Even posting the forms once you've entered the username and password. – Mr Wednesday Mar 14 '12 at 05:09
  • 1
    yeah, there's a reason browser security prevents this: what you're trying to do is *really* shady. For example, if this worked, one website could quietly submit form requests to other websites (e.g. update the timeline in logged in facebook acounts). – Hamish Mar 14 '12 at 05:25

2 Answers2

1

that depends.

if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.

see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527

a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.

or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.

all of which need additional CSRF and XSS checking as session IDs are in the open.

Community
  • 1
  • 1
Joseph
  • 117,725
  • 30
  • 181
  • 234
0

You cannot do what you describe in JavaScript.

However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.

Community
  • 1
  • 1
Matt Beckman
  • 5,022
  • 4
  • 29
  • 42