Can Cookies Be Securely Sent From One Machine To Another To Access A Resource

- 1 answer

There are for pieces to this problem:

Mobile app
API server
Laravel 4.2 Web App server
Client web view (UIWebView/browser)

I am looking for the best means to ensure secure API access to the Client when authentication took place on the Mobile App. Below I have outlined my current strategy:

Mobile ---(1) basic auth credentials ------> Laravel
 App                                          server
                                            /   ^   \
                                      (4)  /     \   \  (2) basic auth/
                                  cookie/ /       \   \    initial API request
                                  data   /     (3) \   \
                    Client  <___________/ payload/  \   \
                       |                   cookie    \   \_>   API
                       |(5)                           -----  server
                       |cookie/                                 ^
                       |request                                 |

In case my drawing isn't clear, the following happens:

  1. basic auth info is sent from the mobile app to the laravel server
  2. basic auth info is sent to the API server with the initial data request from Laravel
  3. the API server responds with the initial payload and an access cookie
  4. I pass the access cookie on to the client
  5. Client is now free to access the API server with cookie

I am no security expert, but I don't see any fatal flaws in this approach. All transmissions are being sent via HTTPS and basic credentials are never sent to the client.

So my question predominantly lies in steps 4 and 5. Is this secure/possible with Laravel/anywhere?

I have seen in the Docs that one can get and set Cookies with



$response = Response::make('Hello World');

$response->withCookie(Cookie::make('name', 'value', $minutes));

on the client side, though I am not sure how to ensure that my cookie is being sent with my API requests. Any input would be great.

Note: I am responsible for the Laravel server and the Client. Our company is just beginning to adopt a hybrid approach for portions of our mobile app, so we are new to handling authentication when mixing platforms (i.e. we know how to do a web login, just not an indirect auth like this).

Thanks ahead of time!



Answer is no, this cannot be done with cookies. They are only valid for the path which set them (cannot be shared over Laravel and Java server).