I have a site configured for www.domain.com, the site can authenticate users and save their credentials in a cookie.
In some cases, users gain access to handlers that are configured on different servers in a different subdomain. handlers.domain.com
I cannot allow the use of wildcard subdomain cookies (Cookies should not be available for other subdomains)
My access control solution so far has been that each URL used for handlers.domain.comhad a user-specific landmark. Handlers on another site will take over the identity of the owner of the manual. This, of course, is not such a good security practice.
I was thinking of an alternative solution: all the links in handlers.domain.comfact will be links to a script redirector www.domain.comthat redirects to an encrypted url with a timestamp on handlers.domain.com, which then knows for sure that it was available as redirected with direct redirect from www.domain.com. This solution will work fine in GET scripts, but will fail with handlers waiting for POST data (before large uploaded files).
Does anyone know or can think of a better solution or have an idea about my solution?
(In this case, I am using ASP.NET, but the solution is likely to be platform incompatible, so I tag it with various web platforms)
Thank!
source
share