From f9fa22d4b549b94d7334332b5b432707ae90fa04 Mon Sep 17 00:00:00 2001 From: Christoph Burschka Date: Sat, 18 Jan 2014 13:05:04 +0100 Subject: Explain the cross-domain thing. --- plugins/session/README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/plugins/session/README.md b/plugins/session/README.md index 6fccc82..832e779 100644 --- a/plugins/session/README.md +++ b/plugins/session/README.md @@ -38,11 +38,16 @@ domain should be sufficient). Usage ----- +Note: Standard security policies prevent JavaScript from making cross-domain +requests, and particularly from transmitting cookies with such requests. +Therefore, your forum, the `rpc.php` script, *and* the web client must be hosted +on the same domain for this feature to work. + Whenever you need to authenticate to ejabberd, make a POST request to the URL that points at `www/rpc.php` with `salt` set to a reasonably random 16 character value. -If the client making the POST request has a valid session for the site you're +If the client making the POST request transmits a valid session for the site you're authenticating with, then you will receive a JSON-encoded response as follows: `{"user":"","secret":"","time":"