I
I
IDDH2016-04-26 13:35:50
JavaScript
IDDH, 2016-04-26 13:35:50

SPA. Way to authenticate and transition between domain and subdomain?

There is a landing page on which there is a form for entering a login and password, for example, domain.com. And there is a SPA application on app.domain.com, which is redirected to after logging in on the landing page.
How to more securely make API authentication between a domain and a subdomain so that after a redirect, you don’t have to worry about the token?
Here it is still interested in how to give a token from a domain to a subdomain?
Option 1. Log in to domain.com and pass the resulting token as a GET parameter - very insecure, because the token easily glows in the browser line, and in principle everywhere in the request.
Option 2. Set cookies token=mytoken in the domain and take them in the subdomain. I doubt a little, for any random xss, the token can be stolen (of course, here you need to make sure that there is no xss, but still, there is a chance).
Please tell me a more reliable way.
Thank you!

Answer the question

In order to leave comments, you need to log in

1 answer(s)
D
Dmitry Belyaev, 2016-04-28
@IDDH

The simplest solution is that the authorization token must be one-time
. When authorizing, a one-time token was generated and passed to the application in any way, the
application connects to the server with this token, do not use it for the 2nd time, then either a websocket connection goes on without any tokens, or, if nevertheless, ajax , we generate another persistent session token, which we store on the client in a closure.
The option is more complicated, we read about the digital fingerprint of the browser.
The point is that there is a certain function, if you call it from the same browser - it will return a constant value, but in different browsers this value will be different (for example, chrome of the same version, on the same version of OS it gives different value on my desktop and laptop).
If you master all this, there should no longer be any problems how to use this to secure the session from being used on another device.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question