I'm working on a portal allowing to access different web sites requiring authentication. For example, enter in different e-mail system like yahoo, hotmail or gmail. My portal can keep user credentials for every such site. So, JS sends requests to servlet asking for sign in in required site, and send back session cookie. Then JS tries to open the site using received session cookie. It seems browser security won't allow that. What other solution can be? I do not want to send password information in JS variable, for sake of security.
Tough in space?, <a href="http://tjws.sf.net" target="_blank" rel="nofollow">Get J2EE servlet container under 150Kbytes here</a><br />Love your iPod and want it anywhere?<a href="http://mediachest.sf.net" target="_blank" rel="nofollow">Check it here.</a><br /><a href="http://7bee.j2ee.us/book/Generics%20in%20JDK%201.5.html" target="_blank" rel="nofollow">Curious about generic in Java?</a><br /><a href="http://7bee.j2ee.us/bee/index-bee.html" target="_blank" rel="nofollow">Hate ant? Use bee.</a><br /><a href="http://7bee.j2ee.us/addressbook/" target="_blank" rel="nofollow">Need contacts anywhere?</a><br /><a href="http://searchdir.sourceforge.net/" target="_blank" rel="nofollow">How to promote your business with a search engine</a>
The only way is to change the browser security settings or you may be able to get a signed script, but I am not sure about that. This security is there so people can not manipulate your data on other websites. Imagine a bank account!
Joined: Oct 09, 2002
Actually, it's my goal. I'm frequent flyer, so sometimes I have to check my account from public web terminals. I have no idea what kind of software can be installed on them, like keylogger, traffic sniffers and other stuff. So, I want to my server I can trust to login to a bank account and provide me only responses, or give me a cookie, so current browser can be considerd signed in. When I finish I can just close my session and browser. 1st approach when my server plays role a proxy seems feasible, however I'd like to find a simpler solution if any.
Edit: you may ask since I need to login to my server it can be also logged, so in this case a hacker can get access to all my accounts so it's worse. To avoid that I use one time login accounts, so I can login only once with these my credentials. I have a set of such credentials or a PDA based generator of them. [ November 21, 2005: Message edited by: dema rogatkin ]