0

Let's say you have a website https://example.org which is being decommissioned and redirected to https://example.net.

Your users have a cookie on https://example.org which contains some authentication token for the backend services (e.g. https://backend.example.org). You want the redirect on https://example.org to also transfer this token to a cookie on https://example.net.

Without asking the user to reauthenticate, what is the best way to securely transfer this?

Egg Shitter
  • 1
  • 1
    Bite the bullet and have users reauthenticate. The burden of them having to type their credentials in again is minimal in comparison to maintaining and testing any system you could come up with. –  Nov 05 '21 at 03:50

1 Answers1

0

Something along these lines might work:

  1. Generate an AES encryption key, known to https://example.org and https://example.net.

  2. On the initial request by the user to https://example.org, the server encrypts timestamp|authentication token using the key, then responds with a 301 rediect to https://example.net?xxxxx (where xxxxx is the ciphertext).

  3. On the request to https://example.net?xxxxx, the server uses the key to decrypt xxxxx to get timestamp|authentication token. The server checks that timestamp is not more than n seconds in the past (to avoid replay attacks). If so, the server authenticates the user stores the authentication token in a cookie for https://example.net.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • If AES is used, make sure to use a variant that allows for message authentication (e.g. AES-GCM), else the plaintext can often be modified. – multithr3at3d Oct 12 '20 at 04:35