I have a site set up on www.domain.com, the site can authenticate users and persist their credentials in a cookie.
On occasions the users access handlers that are set up on different servers on a different sub domain. handlers.domain.com
I can’t afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)
My solution for access control up until now was that every URL used for handlers.domain.com had a guid specific to the user. The handlers on the other site would assume the identity of the guid owner. This of course is not such a good security practice.
i was thinking about an alternative solution: All links to handlers.domain.com will actually be links to a redirector script on www.domain.com that will redirect to an encrypted time stamped url on handlers.domain.com which will then know for sure that it was accessed as a direct authenticated redirection from www.domain.com.
This solution will work fine on GET scenarios but will fail with handlers expecting POST data (up do big uploaded files)
Does anyone know or can think of a better solution or have any insight on my solution?
(In this case I am using ASP.NET but the solution will probably be platform agnostic, so I will tag this with various web platforms)
Thanks!
As you do not want to use cookies to establish a session (group of requests) you need to find other ways. As the information of the cookie is passed readable within the HTTP request, I do not see a problem if you for that one particular request pass that information as part of a POST request.
If you prefer a GET request I would additionally add a flag inside the users server-side session prior the redirect so to give the script that is the destination of the redirect the possibility to verify the validity of the request on the server-side.