We are building user profiles which can be embedded in client's websites. We are embedding those as iframe in client's web with user's id as parameter to iframe URL.
We have authentication token to allow access to the profile.With this approach the auth token will be exposed and users can misuse it.
We also though of using referrer verification, but that can be spoofed very easily.
What is the best way to show page of one application inside another website? We are trying to avoid user login through iframe to avoid additional operation overhead as there will be many users from the organisation which will be using it. Is there any other way than giving login functionality inside iframe to secure embedded iframe?
