Can PERL send a 3rd party cookie to a users browser?

OpenSpace has asked for the wisdom of the Perl Monks concerning the following question:

I am attempting to build an automated logon to a secure site. Users in my clients portal should be able to click a logon button and gain access to the site without any further action needed.

I have succesfully achieved this using LWP. I am able to pass the page retrieved by LWP back to the user but if the user clicks on link in that page to another page within that secure site they are immediately logged out.

The reason is because the required session cookie is sitting in LWP's cookie jar on my server and not in the users browser (on their PC)

Is there any way I can pass the secure sites cookie back to the users browser and still have the browser believe that the cookie has come from the secure sites domain rather than the domain of my server and the LWP program?

Or is that too much like criminal behaviour! :)

Thanks

Comment on Can PERL send a 3rd party cookie to a users browser?

Replies are listed 'Best First'.
Re: Can PERL send a 3rd party cookie to a users browser? by RonW (Parson) on Nov 26, 2014 at 18:36 UTC
3rd party cookie, in the context of a web page, is where the web page directs the web brows to load content, such as an image, from another web server. Any cookies attached to that included content are considered 3rd party. What your portal is doing is actually proxying. The browser sees the cookie coming from your portal. Also, it's possible the cookie has encoded the IP address of your portal in it, so the secure website might reject the cookie because the web browser's IP address won't match the IP address encoded in the cookie. What you need to do is make the web browser always access the secure website through your portal. One way to do this would be to enhance your portal to re-write the URLs in the responses from the secure server so that they refer to the portal. Then the portal needs to forward further requests from the browser to the secure site. There are several http proxy examples on CPAN. Alternately, your company's IT dept can redirect requests for the secure website to your portal. Of course, your portal will still have to properly forward requests and responses.	[reply]
Re^2: Can PERL send a 3rd party cookie to a users browser? by Jenda (Abbot) on Nov 27, 2014 at 16:50 UTC
A site that would include the client's IP address in the cookie would be unusable to quite a few. There is no guarantee that your requests always come from the same IP address if you are behind a firewall. Been there, got bitten. Jenda Enoch was right! Enjoy the last years of Rome.	[reply]
Re: Can PERL send a 3rd party cookie to a users browser? by Jenda (Abbot) on Nov 27, 2014 at 16:53 UTC
You can set cookie in JavaScript so your Perl script could, once it gets the cookie, add a tiny snippet of JavaScript to the HTML it forwards to the users and the JavaScript would set the cookie within the clients' browser. Jenda Enoch was right! Enjoy the last years of Rome.	[reply]
Re: Can PERL send a 3rd party cookie to a users browser? by Anonymous Monk on Nov 26, 2014 at 19:45 UTC
I believe the trick is to send to the user some Javascript which will create a form, set its method ('post') and action ('different.server.com'), fill the form and immediately submit it.	[reply]
Re^2: Can PERL send a 3rd party cookie to a users browser? by OpenSpace (Novice) on Nov 27, 2014 at 11:19 UTC
Thanks anon I think I would still have problems with the cookie, as the form would be on the users PC and the server controlling the logon would be looking for the cookie it had already set in the first stages of the logon. Unfortunately that would not be on the PC but in my LWP cookie jar.	[reply]
Re^3: Can PERL send a 3rd party cookie to a users browser? by Anonymous Monk on Nov 27, 2014 at 12:14 UTC
I wonder if hidden iframe pointing to (the start page of?) the logon server would work. Then the browser would send request to the server (asking for the iframe's content), and the server would send a cookie along with the document. And then Javascript would submit the form. That's in theory. I've personally never done that before. If you'll get this working, be so kind and let us know! I for one am really curious. BTW, it does look like a good way to steal other peoples passwords :)	[reply]
Re^4: Can PERL send a 3rd party cookie to a users browser? by Anonymous Monk on Nov 27, 2014 at 12:30 UTC
Re: Can PERL send a 3rd party cookie to a users browser? by OpenSpace (Novice) on Nov 30, 2014 at 23:25 UTC
Thanks for these suggestions, they are interesting ideas. I will try and find the time to run some tests. If anything works I'll post it hear for future reference. Cheers	[reply]