• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Is it feasible, SSO from JS?

 
dema rogatkin
Ranch Hand
Posts: 294
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm working on a portal allowing to access different web sites requiring authentication. For example, enter in different e-mail system like yahoo, hotmail or gmail. My portal can keep user credentials for every such site. So, JS sends requests to servlet asking for sign in in required site, and send back session cookie. Then JS tries to open the site using received session cookie. It seems browser security won't allow that. What other solution can be? I do not want to send password information in JS variable, for sake of security.
 
Eric Pascarello
author
Rancher
Posts: 15385
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The only way is to change the browser security settings or you may be able to get a signed script, but I am not sure about that. This security is there so people can not manipulate your data on other websites. Imagine a bank account!

Eric
 
dema rogatkin
Ranch Hand
Posts: 294
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, it's my goal. I'm frequent flyer, so sometimes I have to check my account from public web terminals. I have no idea what kind of software can be installed on them, like keylogger, traffic sniffers and other stuff. So, I want to my server I can trust to login to a bank account and provide me only responses, or give me a cookie, so current browser can be considerd signed in. When I finish I can just close my session and browser. 1st approach when my server plays role a proxy seems feasible, however I'd like to find a simpler solution if any.

Edit: you may ask since I need to login to my server it can be also logged, so in this case a hacker can get access to all my accounts so it's worse. To avoid that I use one time login accounts, so I can login only once with these my credentials. I have a set of such credentials or a PDA based generator of them.
[ November 21, 2005: Message edited by: dema rogatkin ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic