• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Is it feasible, SSO from JS?

 
Ranch Hand
Posts: 294
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm working on a portal allowing to access different web sites requiring authentication. For example, enter in different e-mail system like yahoo, hotmail or gmail. My portal can keep user credentials for every such site. So, JS sends requests to servlet asking for sign in in required site, and send back session cookie. Then JS tries to open the site using received session cookie. It seems browser security won't allow that. What other solution can be? I do not want to send password information in JS variable, for sake of security.
 
author
Posts: 15385
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The only way is to change the browser security settings or you may be able to get a signed script, but I am not sure about that. This security is there so people can not manipulate your data on other websites. Imagine a bank account!

Eric
 
dema rogatkin
Ranch Hand
Posts: 294
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually, it's my goal. I'm frequent flyer, so sometimes I have to check my account from public web terminals. I have no idea what kind of software can be installed on them, like keylogger, traffic sniffers and other stuff. So, I want to my server I can trust to login to a bank account and provide me only responses, or give me a cookie, so current browser can be considerd signed in. When I finish I can just close my session and browser. 1st approach when my server plays role a proxy seems feasible, however I'd like to find a simpler solution if any.

Edit: you may ask since I need to login to my server it can be also logged, so in this case a hacker can get access to all my accounts so it's worse. To avoid that I use one time login accounts, so I can login only once with these my credentials. I have a set of such credentials or a PDA based generator of them.
[ November 21, 2005: Message edited by: dema rogatkin ]
reply
    Bookmark Topic Watch Topic
  • New Topic