How to implement authorization without sessions on the backend?

O

Olya2017-11-26 20:30:29

Sessions

Olya, 2017-11-26 20:30:29

Hello!
There is a service through which an order is made (order form, admin panel). The order form and the login form are embedded in different sites (not the same domain) via an iframe. the order is linked to the current domain. Authorization is implemented classically (checking the user on the backend and writing his data to the session on the backend). But under such circumstances, if a user logs into the admin panel on one site, then on another, the same user will still remain in the admin panel. What is the best way to rewrite authorization so that a person remains authorized with domain binding? Maybe someone has examples of solutions to similar problems?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

I

Ivan Koryukov, 2017-11-26
@OlyaHryhorenko

Did you check the fact that on another site the user will also be authorized or just think so? It just shouldn't work like that - the session is tied to cookies that are visible only on the site that set them.
And even if it works as you say, then just change the session structure - store the data for each individual site under the key, which is the domain of this site.

A

Alexey Cheremisin, 2017-11-27
@leahch

Pass jwt tokens. They can be passed both with the form and in http headers, and even loaded via js.