Hi, is it possible to use curl or other means to set a cookie on another domain? I have access to the php file on the other domain that can set the cookie but I do not know how to access that php file using curl and then set the cookie.
+3
A:
You can use cURL to get a cookie ID from another domain, and then use that inside your program, but if you mean set a cookie on a browser - no you cannot, cookies can only be set for the domain that they were generated on.
webdestroya
2010-04-20 00:29:27
+1
A:
If you are trying to set a way to auto log in (or similar) on the second site, and you control that site, you only really have one option (maybe there are more too I don't know about).
- Generate a nonce and store in db
- Associate the current date / time and the user agent with it
- Attach it to a link to the 2nd site via GET
Now, when the 2nd site receives an inbound link with this GET param, it should
- Verify nonce exists
- Verify user agent hasn't changed
- Verify the time between nonce created and requested isn't too long (I go with 10 minutes).
- Delete nonce
Be Warned
This session could be hijacked, for example by some man in the middle. But the person that hijacks it must do all these things
- View the outgoing nonce
- Copy it and access the site before the original person does
- Have the same user agent string
Keep that in mind.
You could also check for the IP being constant, but this may cause some people to not be authenticated if their IP changes, and it won't help multiple people using the same external IP.
alex
2010-04-20 00:56:57
This is exactly what I am trying to do :) The second site requires a cookie to be set once logged in. Two questions from the steps posted above. 1. Do I still use cUrl or other to send the nonce.2. How does the cookie get created? If I use setcookie it does not work. Thanks.
jdeans
2010-04-20 02:50:37
Cookies will be useless for the initial setup of this multi-server authentication process. The CURL connection will be done server->server. It will not involve the client browser at all, so there's no way for server A to transmit a cookie from server B to the client, in such a way that it'd work on server B as a cookie.
Marc B
2010-04-20 02:56:33
+1 just because I've learn a new word. xP @jdeans: @alex solution doesn't require cookies to work, think of it like a temporary password that is transmitted via the URL.
Alix Axel
2010-04-20 02:57:34
@Alix Are you referring to nonce? @Cacha102 showed it to me a while back.
alex
2010-04-20 03:44:36
@alex: Indeed, nice way to keep the knowledge flowing. =)
Alix Axel
2010-04-20 03:55:04