public/lucidAuth.login.php

@@ -39,8 +39,7 @@
 				"Result"			=>	"Success",
 				"Location"			=>	$originalUri,
 				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'],
-                "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], [$_SERVER['HTTP_HOST']])),
+                "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], $_SERVER['HTTP_HOST']))
-                "SecureToken"       =>  $result['token']
 			]);
 		} else {
 			switch ($result['reason']) {

public/lucidAuth.setXDomainCookie.php

@@ -18,19 +18,14 @@
         switch ($queryString['action']) {
             case 'login':
                 if (validateToken($queryString['token'])['status'] === "Success") {
-                    // This request appears valid; try storing a cookie
+                    // This request appears valid; store a cookie
                     $httpHost = $_SERVER['HTTP_HOST'];
-                    $httpOrigin = $_SERVER['HTTP_ORIGIN'];
-                    // Check if $_SERVER['HTTP_HOST'] and $_SERVER['HTTP_ORIGIN'] match any of the configured domains (either explicitly or as a subdomain)
-                    //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
                     $cookieDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpHost) {
-                        return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
+                        // Check if $_SERVER['HTTP_HOST'] matches any of the configured domains (either explicitly or as a subdomain)
+                        //   This might seem backwards, but relying on $_SERVER directly allows spoofed values with potential security risks
+                    return (strlen($value) > strlen($httpHost)) ? false : (0 === substr_compare($httpHost, $value, -strlen($value)));
                     }))[0];
-                    $originDomain = array_values(array_filter($settings->Session['CookieDomains'], function ($value) use ($httpOrigin) {
+                    if ($cookieDomain && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
-                        return (strlen($value) > strlen($httpOrigin)) ? false : (0 === substr_compare($httpOrigin, $value, -strlen($value)));
-                    }))[0];
-                    if (($cookieDomain && (is_null($httpOrigin) || $originDomain)) && setcookie('JWT', $queryString['token'], (time() + $settings->Session['Duration']), '/', '.' . $cookieDomain)) {
-                        header("Access-Control-Allow-Origin: {$_SERVER['HTTP_ORIGIN']}");
                         header("HTTP/1.1 202 Accepted");
                         exit;
                     }

public/misc/script.iframe.js

@@ -1,10 +0,0 @@
-$(document).ready(function(){
-    $.post("lucidAuth.setXDomainCookie.php", {
-        do: "login",
-        ref: $('#ref').val()
-    })
-    .done(function(data,_status) {
-        if (data.Result === 'Success') {
-        }
-    });
-});

public/misc/script.index.js

@@ -32,33 +32,27 @@ $(document).ready(function(){
 					});
 					if (data.CrossDomainLogin) {
 console.log('CrossDomainLogin initiated');
-// do ajax in parallel, show progress,
+// For reference:
-// redirect once all finished loading or timeout after $X ms
+//          [
-// origin domain should be exempted from timeout
+//				"Result"			=>	"Success",
-//   (because origin domain can/will be different from current domain --due to traefik design).
+//				"Location"			=>	$originalUri,
+//				"CrossDomainLogin"	=>	$settings->Session['CrossDomainLogin'],
+//              "CookieDomains"     =>  json_encode(array_diff($settings->Session['CookieDomains'], $_SERVER['HTTP_HOST']))
+//			]);
+
+                        var cookieDomains = json_decode(data.CookieDomains);
+                        console.log(data.CookieDomains);
+// let the client setup multiple iframes for all domains
+// psuedo-code: foreach (cookieDomains as domain) { $.get(domain, ref=[action,token])}
+
+    //   validate each request against JWT-tokens in database
+    //   load all iframes parallel, show user progress and redirect once all iframes have finished loading; or after treshold of X ms has been reached
+    //   origin domain should be exempted from the treshold (because origin domain can be different from current domain -due to traefik design).
 
-                        var cookieDomains = JSON.parse(data.CookieDomains);
-                        var XHR = [];
-                        cookieDomains.forEach(function(domain) {
-                            XHR.push($.get({
-                                url: "https://auth." + domain + "/lucidAuth.setXDomainCookie.php",
-                                crossDomain: true,
-                                data: {
-                                    ref: btoa(JSON.stringify({
-                                        action: 'login',
-                                        token: data.SecureToken
-                                    }))
-                                }
-                            }));
-                        });
-                        $.when.apply($, XHR).then(function(){
-                            $.each(arguments, function(_index, arg) {
-                                console.log(JSON.stringify(arg));
-                            });
-                        });
 					}
+
                     // Finished (either succesfully or through timeout) cross-domain logins
-					//window.location.replace(data.Location);
+					window.location.replace(data.Location);
 				}, 2250);
 			} else {
 				$('#btnlogin').css({