Cross domain cookie tracking

Question

Hi,

The company I work for has four domains and I'm trying to set up the cookies, so one cookie can be generated and tracked across all the domains. From reading various posts on here I thought it was possible.

I've set up a sub domain on one site, to serve a cookie and 1*1 pixel image to all four sites.

But I can't get this working on the other sites.

If anyone can clarify that:

1. Its possible?
2. If I'm missing something obvious or a link to a good example?

I'm trying to do this server side with PHP.

Thanks

Answer 1

Are you having issues due to Internet Explorer and their Privacy stuff? Session variables are lost if you use FRAMESET in Internet Explorer 6

Back in my former internet days, when IE6 first came out, we had to implement this because it broke some of our tracking. Its amazing that all you have to do is fake it, and everything works fine.

Your on the right track, we had a domain that hosted the tracking cgi that served the 1x1 transparent pixel and tracked what page a user was visiting. We then had a custom parser that would combine that data with Apache logs and dynamically created a graph of users traffic patterns through our website. This was using dot from the Graphviz package.

Answer 2

This kind of thing is pretty easy if you are just trying to do stats, but if you're actually trying to persist user data across domains you'll have to do something more complicated.

The best way to set a cross-domain cookie is to make sure all your sites are subdomains of one master domain, say initech.com. So one of your site, site1.initech.com, sets the cookie with a domain of ".initech.com" and it works fine.

It could be a problem if your sites are on totally different domains though.

Rather than try to set one cookie that each site can access, what you'll have to do is make sure that each site has its own exact duplicate of the original cookie. So, have your site, site1.com, set the cookie for itself and output three 1x1 gifs, or AJAX calls or whatever, to site2.com, site3.com and site4.com setting the same cookie to the same value.

This will be difficult to do securely and reliably ;)

To make sure somebody can't set arbitrary cookies on your domain, you'll habe to pass through a hash of the cookie value on the image tag. If the cookie to be set is "mycookieval", also pass through md5("mycookieval"."somesecretstring".$_SERVER['REMOTE_ADDR']). This is potentially bad because it might allow an attacker to set the same cookie to the same IP address, or possibly to brute-force the hash generation.

You could compensate for this by inserting a record into a backend database whenever you set the cookie, and having the other three sites check against it for validity.