My website (A) should display a content only for those users who is logged in on another website (B) which is on another domain. I can't access the cookies, so I have to look for another options.<p>The only way of doing this I see right now is to send XMLHttpRequest to B using CORS with credentials and since B has an access to session cookie of its origin it can response whether the user is logged in or not. The response has to be send to server A via AJAX so it could determine what kind of content to display.<p>But how should the response look? How to handle it? As long as client controls this area yes/no answer is not the choice. What kind of data can I pass so that client won't be able to send fake valid request to A?<p>B is not the only website I need to interact this way with. There are C, D, E... and every has its own authentication system, so I can't use SSO.
If you can’t use shared cookies, then you need something like oAuth. Ultimately there needs to be some sort of authentication token in the HTTP request/response. Where that token comes from is up to you, but it certainly should not come from the client.