Here the scenario:
There is a webpage on domain A. User is getting authenticated within domain A (and saves auth token in sessionStorage), and does some activity there. Then user needs to go to page on domain B. Once he lands on the page from domain B, that page should somehow retain auth token from domain A. I'm in control of server of domain B.
Simplest approach is to have a button on page in domain A with something like
location.href = 'domainB.com/?authtoken=mytoken'
Here comes the problem I'm facing:
1) I cannot (aka strongly don't want) use query parameters in URL, even though connection is https: URLs (in general) are logged, and any attack will easily steal token auth, which is a security breach.
2) I don't want to set cross-domain cookies - same reason (security).
3) domainB application is API-based and server and client are sessionless. All auth tokens sit in sessionStorage to prevent security breaches.
I did a lot of googling in last couple days, but it seems I cannot add custom header for cross-domain page load. 'POST' does not reload page. So far the only option I was able to invent is to surrender to using server-side session, i.e.:
a) right before navigating away from domain A to B ask server B to create session-key that is of one-time use.
b) navigate to domain B using query parameter of that session-key.
c) once server on domain B gets 'GET' request with session-key, retrieve associated auth token, discard session-key (i.e. effectively making it one-timer), and serve page with auth token in headers.
Problems with this approach:
1. It forces me to use server-side session, i.e. significant performance degradation.
2. Auth token is saved (however temporarily) in domain B server-side session, which increase security vulnerability of the whole system.
3. Still open to the man-in-the middle attack.
Any other suggestions? How others solve it? I don't think everybody is using such a security-fail as URL query parameters.
Submit an article or tip