Tutorial :Double POSTing user data - security risks/user experience/bad practise?


What are the issues with double POSTing user data?

I am building a site for a client that requires login to a bespoke backend system that I am constructing, and login at the same time to a third party system hosted on a seperate domain. Client system is built in PHP and Vendor system in .NET.

The login process requires both sites to perform authentication and set client-side cookies on their respective domains, so the third-party vendor has proposed that:

  1. We create the login form on the clients domain containing username and password fields
  2. The login form POSTs to a server-side script on clients domain to perform authentication, sets up a server-side session and sets a client-side session cookie.
  3. This login form then redirects to a script on the third-party vendors domain, POSTing the username and password and setting up a server-side session and client-side session cookie on the third-party vendors domain
  4. This login script then redirects back to a "logged in" page on the clients domain with an embedded IFRAME containing a script on the vendor domain, both of which need to pick up their respective client-side cookies that have already been set to reinitiate the user session.

The vendor has proposed that the redirection from client domain login page to vendor login page happens by having a hidden HTML form that performs an immediate JavaScript form submit.

My questions are:

  • Are there issues with security/bad practise/anything I can use to push back against this and get a decent API in place?
  • Is there a better way to do the above, while still being able to log into both systems and set client-side cookies on both domains?


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »