Chapter 6. Authentication and sessions
This chapter covers
- Introduction to third-party cookies
- Authenticating and persisting sessions from your third-party application
- Workarounds when third-party cookies are disabled
- Techniques for defending against session hijacking
Up until this point, we’ve been implementing user-agnostic applications. No matter who’s loaded your third-party script, they all experience the same version of the application. But what if, instead, your application could identify users who are currently (or previously) signed in to your service? Leveraging any data you might have about that user, you might be able to deliver them a customized and improved experience.
You’ve probably seen this behavior in third-party applications before. For example, Facebook’s omnipresent Like button knows whether you’re currently signed in to Facebook. Sometimes it’ll show you if your friends have already “Liked” the content you’re viewing. Or if you click the Like button yourself, it’ll automatically share that content to your Facebook news feed, without prompting you to log in.