Share user data across 2 domains - javascript

I have 2 domains, (NOT SUBDOMAINS)
Domain A
Domain B
My users create a account on Domain A and create / login a new account on Domain B with the same info by just clicking a button with "login with Domain A". A better way to explain is: i would like a "login with google" on domain B and domain A would google in this question.
My question is: what would be the best way to approach this, I don't want to share a database across the 2 domains so I thought maybe this could be done with cookies like in this post https://stackoverflow.com/a/6816659/19055225, would this be a good idea if I encrypt the cookies or are there better ways?
The timeline of a user wanting to login on domain B with domain A's login:
Creating account on domain A:
going to domain B to create a account with the created account on domain A, the user will be redirected to domain A with an allow form.
When users allow the creating of an account with the known data on domain A they will be redirected to domain B where they get a succes messages (the data is shared with domain B)
users can now login on domain b with the account from domain A (each login click they will be redirected to domain A for an "login" button to login on domain B)
What would be the best approach for this project?
i already made the html,css and php/js ready forms for every screen.

In essence, what you're asking for has nothing to do with the browser, nor should it; you would never want to share information like that cross-domain, as anything (the users data) could be stored/taken from one website to another (i.e., a company that uses your data for whatever they want).
In my opinion, the question should be directed more toward the backend/database. You have a few solid options:
Share the same database (you said you didn't want to, but feels like it should still be said)
Create a "conversation" between servers (http requests, web sockets)
Database replication (though this isn't easy to make work well in real time, not to mention scale, without tools like rabbitmq)
Share information via encrypted data in the url with a key both servers have in their env to decrypt (less ideal option imo)

Related

Is there a standard way of Identifying 'Domain not Owned' sites when using http/https?

I am using a node webshot library to take a image of an web site say at http://x.y.z.com/blah . If the website exists I get a nice image. If the website does not exist I may or may not get an error. If I get an error case I can use a default image. However, I am finding out that some domains are being redirected to the infamous Domain selling sites or a "search for" Domain site. For example, http://notawebsite.com.org is redirected to http://www.com.org/?notfound=notawebsite.com.org. I have also checked dns to see if I can invalidate the site ahead of time but it resolves fine ( to the www.com.org address ). So is there anything I can do to determine if a url site is redirected to one of theses Domain search/selling sites?
Is there a standard way of Identifying 'Domain not Owned' sites when using http/https?
No, not really. In the example you cite, the server for http://notawebsite.com.org returns a 301 redirect. It seems to me that you just decide that if you're getting a redirect to a different domain (and not just a redirect to a different page on the same domain and not just a redirect from http to https on the same domain), then the URL you were attempting to access is apparently not active on its own.
There is no standard way to know whether the site you are redirect to is just a domain seller vs. an actual active domain. You could manually investigate a bunch of sites you get redirects on and teach your code how to identify some common domain sellers doing this, but that would be a somewhat unending task that probably need regular human intervention to tell the difference between a real site and a domain selling site. You could, in the end, built up a blacklist of domain seller's domains and refuse to catalog any URL that redirects to any domain on your blacklist. But, it would probably take some manual intervention to build and maintain the blacklist.
You also have no way of knowing for sure that all URLs on a given domain where you're getting a redirect do a similar redirect, but you can certainly say that the URL you tried to get the snapshot from is not directly active on its own. If the user goes to that domain in their browser, they won't see any content for that domain in their browser because the redirect will change the URL.
So is there anything I can do to determine if a url site is redirected to one of theses Domain search/selling sites?
Build your own blacklist of reseller domains that show up in redirects like this. Then whenever you attempt to request a page URL for purposes of grabbing a webshot and you get a 3xx status code back from the request, you check the redirect domain to see if it is on your blacklist.

webbugs like behavior to send specific and general info to server

I have been finding solutions for one technique that I need in my web app. All the big websites have that solution implemented.
Like Facebook, when user is logged in, and then that user open another tab, and go to xyz website. And that website say has facebook script on it. I have observed that without doing anything on xyz website (just visiting), Facebook ads are tuned related to the user being visited to xyz website.
I know webbugs can send data such as IP of user who is visiting xyz website but how come the specific information is also sent to facebook that facebook uses to tune ads experience for specific user. Specific action may be like, if I go to Qatar Airways website and search for flights from destination A to B then on Facebook I get ads related to deals on Qatar Airways from A to B.
How its technically possible? to me it seems like connecting two cookies. Or what else is possible? I need steps that I need to take to configure my server and client to achieve this functionality. And also what I need to do on other websites that user visits. Thanks
IP Addresses ,
HTTP Referrer ,
Cookies & Tracking Scripts ,
Super Cookies ,
User Agent .
steps : https://developers.google.com/analytics/devguides/collection/analyticsjs/

javascript window redirect pass parameters securely (post)

I have a scenario where page navigation is done from one domain to another.
For example, navigation is done from
http://www.foo.com to
http://www.bar.com on button click in javascript
While redirecting, I need to send username and password securely from the first domain to the second domain.
How do I send these parameters?
I do not want to use GET and send it across the URL as it is not secure to send password in that manner.
Broswer's localStorage and SessionStorage did not work as the domains are different.
Window.open does opens the second domain in the same page ('_self') but the parameters are lost. On top of that window.open has the drawback of popup blockers blocking it
Cookie did not work.
I want to redirect from Site A to Site B and pass the username and password the user entered on Site A to Site B
You are not clear what your security implications are here:
While redirecting, I need to send username and password securely from the first domain to the second domain.
I do not want to use GET and send it across the URL as it is not secure to send password in that manner.
Is it site B should not know the password or is it you are concerned about someone listening on the request and replaying it?
At any rate, the only secure way is
Site A hands you a token (could be a JSON Web Token)
you send this token with the request to site B.
Site B takes this token and asks site A to validate it.
After positive validation, Site B creates a session for you.
Everything else (using POST instead of GET) is insecure as well, it is trivial to listen in to a POST request.
There are few ways:
1) Use a POST: Create a <form/> in your webpage and place some hidden variables on the fly using javascript and then post it to another website.
2) Use Headers: Can you see if you can set header?
3) Use Token: You can try using Token, which you can use instead of user+pwd combination. So what happens is you redirect from website A to B using a token embedded in the URL and website B validates the token to an API available on website A before it authenticates the user. You can make these token self-expiring after X seconds.

Delete cookie on another site

Is it possible to delete a cookie on one site when being redirected to that site from another site? Or is that impossible due to security restrictions?
Site A has a login form that submits to and logs in as Site B. When the user logs out from Site B after using Site A's login form, Site B forwards them back to Site A. Is there any way for Site A to delete a cookie on Site B without access to Site B's backend/code?
No, not if site A and site B are on different domains. There is a domain attribute that can be set in the Set-Cookie header, but this must be either an exact or partial match for the current domain. By partial match I mean that it is possible for foo.example.com to set a cookie for example.com but not for ample.com.
Source RFC 6265 (HTTP State Management Mechanism):
When the user agent "receives a cookie" from a request-uri...
If the canonicalized request-host does not domain-match the
domain-attribute:
Ignore the cookie entirely
Bear in mind that a cookie deletion is really receiving a cookie with an expiry date in the past so that is why the above still applies.
Site B would have to implement a mechanism to allow this to happen.
AFAIK this is not allowed for - as you guessed - security reasons.
Take a look here for further details: http://en.wikipedia.org/wiki/Same_origin_policy

using a domain for specific account of another domain

Assume that there is a site (e.g. weblog.com) that users can register on it. after login, user1 would enter to "weblog.com/user1/" entrance page and then browse his own areas of the site. how can I allow him access to his area of my site through his domain (e.g. user1.com).
In other words, when other users enter to user1.com, we would authorize user1 in weblog.com in the background and users access to every user1 allowed pages through user1.com domain transparently.
note that if I use iframe to load weblog.com/user1/ into entrance page of user1.com, all links and also URLs used within javascripts redirect him to weblog.com/user1/. While I want this actions to be transparent from users of user1.com during working.
I am using Ext JS and .htaccess and CORS did not have any result for me until now.
every solutions, tricks or even subjects to study and keywords to search are welcomed.
Sure. What you basically want to do is to rediect your user to there web in your sub domain.
Now, firstly you need to create a javascript that generates a weblog.com/user1 and so on pages on user registration.
Next you have to specify your user to set dns or you have to set it for them that will probably work through your DNS panel (A records, CNAME, or MX records.)
After the user has been authenticated to there site or your subdomain. They can access the page in the same manner but you also need to specify login script at the same time.

Categories