javascripthttpsessioncookiessession-hijacking

Pass HTTP session for third party site from server to client


Let's say my web app is acting on behalf of users who give their credentials to my app so the app can make API calls to a third party service. Incidentally, this is for posting product offers to this third party site (bit like eBay, but on a smaller scale).

Now one super convenient way to make this posting easy would be to reuse the sophisticated web form that third party service has to accept product offers for authenticated users. The idea is to populate their web form and redirect the client browser to it so the user can edit things there using the sophisticated and familiar web form. This would be the best user experience and the least implementation work.

However, it is not a documented way to do it. What's more, it doesn't work in the simple way, like populating the form fields from request parameters (GET or POST). The web form just doesn't work that way.

There might be an alternative. My app could open a session with the third party app on the user's behalf, submit all data so it is stored in their database, and then send the user's browser all the data it needs to take over the session that my server app opened on his behalf. Note that I haven't tried this yet; and I reckon it might fail if the third party app ties a session to an IP number (which, whether sound or not, an app might do).

But wouldn't it be possible to have the server program opening the HTTP session write all the information needed to take over that session to an HTML/Javascript document and send that document to the user's browser, where the Javascript executes and assembles a request such as composed when using a browser on the third-party form directly, which I've been observing using HttpFox?

All the information, that is everything HTTP; it's obviously not possible to pass the server's IP number to the client ... But all cookies and parameters. The Javascript executing in the browser would then have to use the information I'd be somehow passing in the document (probably in the script part) to compose a request to the third party web site that goes right into the session the server app has opened. This would mean that a document originating from my domain would set cookies (add request headers) to then have the user's browser execute that request.

So in other words, is it technically possible to pass a session from the server to the client?

How would you do it in Javascript?

Update

According to answers to another question: You cannot set cookies for another domain. Allowing this would present an enormous security flaw. Goes to show I'm not a frontend developer.

Not giving up, yet. There's the XmlHttpRequest object. Maybe this can be abused for my evil purposes?

Second Update

So I experimented with XmlHttpRequest. Bad news (for me and this particular case): It appears it won't work using XmlHttpRequest either because (using the current Firefox) my nicely forged requests are rewritten according to what appears to be slated to become a W3C standard on Cross-Origin Resource Sharing, so a Cookie header is simply removed and dummy headers Moin and Gurke are reduced to Access-Control-Request-Headers: gurke,moin. Now frankly, this is spoiling the game big time. I'm disappointed.


Solution

  • Okay, giving up. What I want to do is not possible. The reason for this is the so-called same-origin policy to make browsers a safer place. See this other answer for some pointers. And it appears I was wrong on my assessment of the W3C working draft on Cross-Origin Resource Sharing, which is there to allow exceptions from the same-origin policy. So if this were widely implemented it might be viable. But overall there are too many ifs and uncertainties in this attempt.

    Hehe. Got it working. :)

    The cookie and the session ID contained therein weren't needed after all. I've figured out how to obtain all the parameters needed for that request, and I'm providing them to the client by sending him an auto-submitting form:

    <body onload="document.forms[0].submit()">
    <form action="..." method="post">
    ...
    

    The client then enters his own session. Works great. As long as they don't change the interface. I set up tests to monitor their form and alert me to take action they change stuff in incompatible ways.