9

I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:

What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.

I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.

Thoughts?

Thanks!

FabKremer
  • 2,149
  • 2
  • 17
  • 29
  • You can not access 3rd party sites. Think about it, you log into your bank/email and some other site can get your login info? Is that smart? If you control both domains, there are things you can do. – epascarello Apr 04 '14 at 14:58
  • 1
    True thought.. On the other hand my flow is something like: I log in with an account to the other domain through the api "silently" (not shown in any view) and with the cookies that login gave me I want to show some page from that domain I recently logged in. Doesn't seem to be so ilegal to me. – FabKremer Apr 04 '14 at 15:12
  • 1
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript – epascarello Apr 04 '14 at 15:17

1 Answers1

14

If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.

If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another

You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.

Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.

Community
  • 1
  • 1
jfriend00
  • 683,504
  • 96
  • 985
  • 979