Hi, I am having some issues with a cross-domain login not working when 3rd party cookies are disabled. Here is my setup, use "A.com" and "B.com" for the example.

User goes to A.com, if not session on A.com exists user is redirected to B.com to login. They login on B.com which sets a login session on B.com, then redirects the users to A.com A.com does a javascript include of a file on B.com that checks to see if the session exists on B.com, if it does it calls a javascript function on A.com (B.com's codes is being included onto A.com's site so it has access to call A.com's javascript functions) which includes a encrypted user id/timestamp, A.com then redirects to A.com/login/c2n3857293875p987c5(random encryption string) which then decodes the string and logs the users in on A.com

Everything works fine unless you turn off 3rd party cookies. I do not quite understand why? I never set a cookie on one domain from another, I assume it is while trying to read the cookie when it does the javascript include from one server to another, it loads a javascript from from B.com while on A.com, is that correct in that, that is where the problem is happening? Does anyone have any suggestions around this without completely chaning the methodology or is this method just doomed to rely on 3rd party cookies being enabled?

Thank you for your time.

    Your javascript is probably doing the cookie thing.

    This kind of thing is still feasible without cookies of any kind, but handling sessions without cookies requires that you pass around a session ID in your query string. It might work something like this

    • User goes to A.com where no session is found.
    • They are redirected to B.com where they login.
    • B.com gives them a link to A.com that contains a session id which is a long random sequence of numbers and/or letters.
    • A.com takes that session id and contacts B with it using [man]CURL[/man] or maybe even [man]file_get_contents[/man] depending on your php.ini settings.
    • B.com checks the session id to make sure it's a valid session. If it is, b.com returns valid info. If not, b.com sends a failure notice so a.com can bounce the user.

    To keep things secure, you should probably make sure HTTPS is used for all the login and session id exchanges.

      Thanks for the suggestion, I will look into that method a little more and see if its something I can do. If anyone else has any ideas of thoughts let me know. Thank you.

        Write a Reply...