I have built a website (A) which logs in to and retrieves customer data from a separate web service.
The organisation that owns (A) also has a website (B) which has a web form. They want a logged in customer on (A) to be able to click across to (B) and see a pre-populated form with their details.
This means (A) must write their customer ID to a cookie, which (B) can read, and then (B) can request the data from the web service, and pre-populate the form.
This raises two questions:
Can website (B) read the cookie for website (A)?
If so, to prevent someone from editing a cookie and seeing other people's data in the form, I would need to do something like encrypt the cookie on (A) and then have that decrypted in (B) - any suggestions along this line?
I can't change the existing login to OAuth or something, as the web service is consumed by several other sites, so this cannot change.
See Question&Answers more detail:os