How to do cross-domain authentication securely?

Question

So. I have domain A.com, of which the user authentication is done at domain B.com. Currently I have it set so that the login form is posted to B.com, which (if succesfull) sets the session cookie and fires redirect to A.com/loggedin. However, as the form is posted to the B.com and the cookie is set to that domain, when I do JSON request from A.com the session cookie isn't available an I have no idea if they logged in or not. The question then becomes, how to solve the issue?

I've been mulling over a solution wherein I would add a token to the redirect uri, which then could be used for one time authenticated session creation with A.com (the browser could use that token to auth the session with B.com, so that the cookie would be set to A.com and would be available on JSON requests. After that the token would be invalidated ofc).

However, I'm not sure how secure this solution would be? Or is there an other more secure solution?

Answer 1

Your current solution looks good to me and can be used in this scenario. But for your security concerns, instead of providing a plain token you may want encrypt it with some good encryption method and based on that you can configure your servers to encrypt and decrypt the authentication token before using it. The only thing is that you need to choose the best algorithm for your case.

Other than this solution you can give a think to session management tools. Session Migration, Session Replication and Session Sharing are the options that I can think of.

Here is Link for a solution provided by Oracle for session sharing, which I think can help in your case.