0

We have a site builder, allows users to add/modify JS/HTML/CSS. Is it possible to provide a global authentication for it?

I mean users login once but can interact with all sites as their own names. Those sites should not be able to steal user token and change data in other sites in the network. Consider a global authentication for all stackoverflow sites and no XSS protection.

Architecture:

  1. An HTTP only cookie (instead of JWT local storage) for our API authentication
  2. Limit each site requests to its own resources by a dynamic CORS.

Is this secure?

hjahan
  • 101
  • 2
    HTTP cookies are bound to a single site by design. *"login once"* - what you seem to look for is Single Sign On (SSO) and there are many established solutions for this. – Steffen Ullrich Sep 04 '20 at 06:25
  • Thanks! Cookie is only required for API, which is hosted on a single domain. I supposed that we can send a request to that API from different domains and still use cookies. Am I wrong? – hjahan Sep 04 '20 at 10:18
  • Sure, it is possible to send a cookie within a cross-site call, provided the cookie is not same-site and the CORS policy or kind of request allows it. – Steffen Ullrich Sep 04 '20 at 17:18

0 Answers0