[SOLVED] VKontakte Cross-Domain Authentication

G

gaelpa2011-10-24 18:49:21

In contact with

gaelpa, 2011-10-24 18:49:21

0. Open a “clean” browser or clear all cookies / ETC - private data
1. Go to vk.com and log in
2. Open vkontakte.ru

And see yourself logged in.
Question: How did they do it? ( i.e. how does vkontakte.ru understand that I am the same person as on vk.com? )

Looked Firebug'om and through Wireshark - I did not find requests from one domain to another.
Searches in the surts have not given me anything so far.
The session cookie ".vkontakte.ru" appears after a request to /login.php?...&hash=[multi-digits], searches in js for the place where the hash is formed have not yet been successful

Any ideas?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

E

ertaquo, 2011-10-24
@gaelpa

In fact, when logging in to VKontakte, the POST request goes to https://login.vk.com/ . It saves something in cookies and redirects to http://vkontakte.ru/login.php with some hash in GET parameters. That's how it works.

E

egorinsk, 2011-10-24
@egorinsk

You have not cleared all private data.
ps After deleting cookies on vkontakte.ru/vk.com, you should log out. You are doing something wrong.

1

1nd1go, 2011-10-25
@1nd1go

There is actually not POST, but GET
Steps are as follows:
1. vkontakte.ru/feed, redirects to login.vk.com/ with parameters from where, hash ip (interestingly, this is in case of a disabled referrer) and the page where, I so I suspect
2. Login.vk.com redirects to the page where you went, i.e. on vkontakte.ru/feed
3. And from there, session cookies are set that you are logged in.
Those. it turns out that all session cookies are set only on vkontakte.ru itself, which is logical for organizing a session. This means that SSO transferring session identifiers between login.vk.com and sites that use it via internal connections between servers, and with GETs with redirects we simply take session cookies