What I am attempting to do is build a javascript library that will take an authenticated user on an external website and securely pass a few pieces of identifying information to my server to retrieve web content which will then be served up in an iframe on the external site.
Now, my problem is that Javascript is not secure. Which is actually a big problem.
Assumptions
- The companies that own the external sites may have little to no IT infrastructure.
- I will not have access to their servers or code. For this reason, I’d just like to have them toss a javascript include and a few lines of html/javascript on the page.
- The external site can be in any language and hosted on any platform. My backend is .net 4.0
How do I securely get user details from the external server to my server while ensuring tampering is not going on? Any suggestions or ideas are welcome.
As far as I can see, this cannot be done using pure JavaScript.
You will always have to talk to the remote server and ask it whether the user is actually really logged on. Anything you get from JavaScript is unreliable, as it can be freely forged.
You could have the remote server serve a random token to the JavaScript that it in turn sends to your server (just like a session ID). Your server could then ask the remote server whether the token is valid, and display the necessary data.
It won’t work without some involvement with the remote server, though. No way around that.