|
|
Posted by shimmyshack on 05/21/07 23:15
On May 21, 10:43 pm, JDS <jeff...@example.invalid> wrote:
> On Tue, 15 May 2007 10:16:35 -0700, shimmyshack wrote:
>
> > in the traditional model of client<->server1.com<->server2.com the
> > credentials (if stored as cookies) will only be valid for domain
> > server1.com, so you cannot hand off the credentials to the client
>
> Okay, so, I think I have my original answer: "NO"
>
> That's okay. I found an acceptable workaround. Note: This workaround may
> not be acceptable to everyone as it uses JavaScript and depends on client
> side behavior!
>
> Solution:
>
> 1) Create PHP script that gathers creds and maps them to the proper
> username/password.
>
> 2) Embed an HTML form that mimics the POST form I need to circumvent
>
> 3) Use the onload() and submit() events to submit creds via POST method
>
> This works! Yay!
> --
> JDS | jeff...@example.invalid
> |http://www.newtnotes.com
> DJMBS |http://newtnotes.com/doctor-jeff-master-brainsurgeon/
now this /is/ possible as you describe, however it isnt a virtual
session, but rather, a real one, directly between the browser and the
site.
You can of course write a proxy routine, that posts the data using
cURL, and hands back not the session id, but the protected content,
and integrate that into the pages. This would work well where you
control both the site you /were/ on and the site that needs to be
"logged in to" you can mix and match data scross domains this way
although it is not recommended as it's basically XSS and is bound to
be gradually harder to pull off under tighter models in the furture.
Navigation:
[Reply to this message]
|