Securing Sessions & Cookies for In-Site Third Party App Development

[beachersaussie]

Hello PHPFreakers,

 

Ive built a webpage dashboard that allows you to add "widgets" much like iGoogle (or Geckoboard - on an interface level).

 

Now iGoogle (as does Facebook) uses iFrames to serve up these 3rd-party Apps or widgets.

From my research they do this because it makes the Apps more "secure" in the fact they cannot directly access the sessions and cookies set on the igoogle or facebook domain and instead are forced to use the full API process, also helping guard against apps changing the user_id cookie and therefore allowing API access to other data.

 

Now, from my point of view this is somewhat restrictive because: I allow full screen apps, if I was to use iFrame the navigation or control bar would have to be appended to the main BODY of the site as it could not be injected into the iFrame. So what happens when the App/Widget needs to add controls to said bar ... it can't. If you were to add the bar to the iFrame, the site then cannot inject the control bar with the options (forcing a developer to use them).

 

Any ideas on how any/all of this could be overcome?

 

I know of jquery.append and load but would this all really be that secure and safe given all of the above? And why do iGoogle and Facebook then not use these technologies?

 

Look forward to discussing more with all of you

 

[side note: Widgets must be pre-approved, same for updates, must use an oAuth/RESTful API and conform to certain standards. - Just in case that is any use when discussing ]

 

Thanks

[xyph]

Where exactly are we discussing PHP?

 

This is entirely protocol-level communication and security, and has little to do with PHP.

 

This topic's going to get moved as well unless you want to discuss PHP at some critical stage.

[beachersaussie]

Absolutely nobody?

[beachersaussie]

bump

 

(I also fail to see how this is AJAX specific ... anyway)

[beachersaussie]

bump

[beachersaussie]

BUMP