I have a site A, which embeds modules in an iframe B. The modules may be other-domain.
The user has an authenticated session in A, and I want B to refuse to load unless the user has a valid session in A. B does not need to know anything beyond the fact that the user has an authenticated session with A. No session data is needed.

At the moment, neither A nor B are behind HTTPS, but I am looking to change that once I can convince the people upstairs to buy an SSL certificate.

So, I’ve thought of two quite different schemes to accomplish this in a secure fashion, but I am uncertain which of them will work better, so I am hoping to get some feedback here.
Any help is appreciated!

Option 1

1. A appends ?session=SESSION_ID to B’s URL
2. The server-side script at B extracts the session ID, and executes GET A/verify?session=SESSION_ID
3. A replies with 200 OK or 403 Forbidden
4. If the reply from A was a 200, the user is considered authenticated is allowed access to B

Upsides

• Easy to implement
• No shared configuration necessary (apart from A’s URL, which B already knows)

Downsides

• B must contact A, which increases loading time
• Session IDs are supposed to be secret – shouldn’t really be passed around
• Susceptible to replay attacks (for as long as the session is valid)

Option 2

1. A encrypts a data block containing a timestamp, A’s URL, B’s URL and a salt with a key shared between A and B and appends it to B’s URL
2. The server-side script at B decrypts the data block, verifies the URLs and checks that the timestamp isn’t too old
3. If everything checks out, the user is considered authenticated and is allowed access to B

Upsides

• No server-server communication
• Session ID is never transmitted to B
• Not susceptible to replay attacks (beyond the time delay allowed for the timestamp)

Downsides

• More complicated to implement
• A and B need to be somewhat time-synchronized
• A and B need to share a key