I have built a website (A) which logs in to and retrieves customer data from a separate web service.
The organisation that owns (A) also has a website (B) which has a web form. They want a logged in customer on (A) to be able to click across to (B) and see a pre-populated form with their details.
This means (A) must write their customer ID to a cookie, which (B) can read, and then (B) can request the data from the web service, and pre-populate the form.
This raises two questions:
-
Can website (B) read the cookie for website (A)?
-
If so, to prevent someone from editing a cookie and seeing other people’s data in the form, I would need to do something like encrypt the cookie on (A) and then have that decrypted in (B) – any suggestions along this line?
I can’t change the existing login to OAuth or something, as the web service is consumed by several other sites, so this cannot change.
No. Website B can’t read a cookie from website A.
The easiest work-around is to pass login/credential information from website A to website B and have website B set a seperate cookie. For example, after logging into website A you could have them quickly redirected to website B with an encrypted querystring. Website B could then read the information, set its own cookie, and redirect the user back to site A.
It’s messy but possible.