search

boonebgorges / participad

A WordPress plugin for integrating your WP installation with an instance of Etherpad Lite
http://etherpad.org
40 stars 15 forks source link

cross-domain cookies #14

Open boonebgorges opened 11 years ago

boonebgorges commented 11 years ago

I had to abandon cross-domain cookies during development, because I was having a hard time getting them to work. But in any case, WP needs to be able to set and read the sessionID cookie used by Etherpad, in order to verify permissions on pads.

JohnMcLear commented 11 years ago

In my testing my pads are on example.com/pads where my WP deployment is on example.com --

boonebgorges commented 11 years ago

Yeah, that should work fine. It's when they're on different domains that they're not getting set right - foo.com and bar.com. Subdirectories of the same top-level domain seem to work fine.

AramZS commented 11 years ago

So, there's no way to get this up and running if your Participad install is on a separate domain than the Etherpad install? This looks like we can hack around it by mapping a subdomain of the WordPress site to the etherpad server?

boonebgorges commented 11 years ago

So, there's no way to get this up and running if your Participad install is on a separate domain than the Etherpad install?

Right. The issue, in short, is: We're using EPL sessions to protect access to Pads. EPL sessions are stored in a cookie called sessionID, which is used by EPL to authenticate. We generate the EPL session ID in Participad via the EPL API. But that means that the WP installation now has the value of the session ID, and needs to set a cookie for the EPL installation. If they live on different domains, security restrictions keep WP from doing this. (For good reason: when visiting my website, you wouldn't want me to run setcookie( 'your_fb_login_cookie', $foo, $bar, '.facebook.com' ) and hijack your account.)

Your workaround of mapping a subdomain onto EPL is a great idea, and should work without a hitch.

If the EPL API offered the option of setting the session cookie remotely, it would help. In other words: when I embed the EPL iframe in my WP site, I would like to be able to send a request to http://example.com/pad?setSessionCookie=[sessionID] or something like that, and EPL would asynchronously set the appropriate cookie. However, I don't know how secure this would be, given that EPL's API currently just uses a static API key for auth, which would make sessions subject to sniffing and hijacking pretty easily. Maybe @JohnMcLear has some thoughts about this.

JohnMcLear commented 11 years ago

Don't have much in the way of thoughts to be honest, I think you'd have to propose it at https://github.com/ether/etherpad-lite/issues as I'm sure other people have stronger opinions on it than me. It's another one @rhelmer might be interested in as he's working on the EP Team pad stuff

Btw EPL is now EP, we dropped the Lite bit. :)