Authenticating across different subdomains (but not all)

I have a site set up on www.domain.com, the site can authenticate users and persist their credentials in a cookie.

On occasions the users access handlers that are set开发者_运维问答 up on different servers on a different sub domain. handlers.domain.com

I can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)

My solution for access control up until now was that every URL used for handlers.domain.com had a guid specific to the user. The handlers on the other site would assume the identity of the guid owner. This of course is not such a good security practice.

i was thinking about an alternative solution: All links to handlers.domain.com will actually be links to a redirector script on www.domain.com that will redirect to an encrypted time stamped url on handlers.domain.com which will then know for sure that it was accessed as a direct authenticated redirection from www.domain.com. This solution will work fine on GET scenarios but will fail with handlers expecting POST data (up do big uploaded files)

Does anyone know or can think of a better solution or have any insight on my solution?

(In this case I am using ASP.NET but the solution will probably be platform agnostic, so I will tag this with various web platforms)

Thanks!

As you do not want to use cookies to establish a session (group of requests) you need to find other ways. As the information of the cookie is passed readable within the HTTP request, I do not see a problem if you for that one particular request pass that information as part of a POST request.

If you prefer a GET request I would additionally add a flag inside the users server-side session prior the redirect so to give the script that is the destination of the redirect the possibility to verify the validity of the request on the server-side.

You said you "can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)". Does that mean you can't afford it monetarily or you you don't want the user to have access to all subdomains? If it's the second, you could still use subdomain cookies by putting in an encrypted value with that user's ID and check it versus access permissions on your various subdomains. That keeps everything at the server where it's more secure versus at the URL level. The only way a potential hacker can get past it is to guess another user's ID and figure out your keys for properly encrypting it.