I’m trying to implement single sign-on for a web portal. I’ve written some code to send a POST request containing the user’s login credentials to an external web app to log the user in. (Don’t worry, this is all over SSL)
The HTTP response from the web app contains a cookie for the user’s login. Is it possible for the web portal server to then pass that cookie to the user’s browser? Or is that impossible since the web app is on a different subdomain? I understand there are some security measures built into cookies.
Short answer: NO.
The HTTP server can indeed log into the other service and pass the service’s cookie back to the user, but the browser will set that cookie’s domain to be the HTTP server’s, not the remote service’s. There’s no way for ‘server A’ on ‘domain A’ to make a cookie appear to have originated from ‘server B’ on ‘domain B’. If it were possible, it’d be trivial to steal everyone’s authentication cookies for their bank, facebook, myspace, etc…