tags:

views:

1060

answers:

6
+3  Q: 

Any means of reading third party cookies from "friend" sites?

A recent question made me post this one.

I'm working on a set of web pages that have some very simple user login, and store the user id in a cookie. Let's say that due to certain decisions which I'm in no position to overrule, the pages use several alternate domain names. I.e., the login page uses one domain name, and the page that should be able to verify whether the user is logged in could be in another domain. Of course, in most browsers, third party cookies are disabled, so setting the userid cookies for all possible domains is out of question. AFAIK, read access is outright impossible, since neither the browser sends third party cookies to the server, nor are they accessible from javascript.

Is someone aware of a workaround, apart from redirecting all page requests to a common domain name? Both server and client side solutions are welcome.

Update 1: when I say workaround, I don't necessarily mean any means of forcing cookies through. Solutions replacing cookie based authentication are also accepted, if they are simple enough.

Update 2: the domains are not in the same hierarchy, but they all map to the same IP address.

+14  A: 

There should be no workaround. Each workaround would be considered a bug (or more correctly a security issue)

Sven Lilienthal  2009-01-21 16:34:57
I would normally agree, if it weren't for the fact that I, the owner of domain A, would like to **explicitely** allow pages in domain B to read (some of) my cookies. I seen no security issue when both sites give their approval.
David Hanak  2009-01-21 17:31:25
Well you could use your ip-address as your cookie-url. Would that solve your problem?
Sven Lilienthal  2009-01-21 17:35:51
It would (the various domain names map to the same IP address), but frankly I don't think that's possible. Or is it?
David Hanak  2009-01-21 17:36:57
Ah sorry, you are right, I think that would lead to "redirecting all page requests to a common domain name"
Sven Lilienthal  2009-01-21 17:57:31
One security issue is that third-party cookies are disabled for a reason, and collusion between two domain owners doesn't affect that reason. Another is that a "return to same domain" rule is simple, while "return to same domain, or on access list" is much more complicated and insecure.
David Thornley  2009-01-21 18:51:27
You could always write a rfc :-)
Sven Lilienthal  2009-01-21 22:17:33
A: 

As you mentioned, you're not going to be able to do any sort of cross-domain ajax or cookie setting. The easiest way to do it would be to have the different domains redirect (or submit a form) to the next URL passing data in the URL or POST body.

You could also set up a server-side proxy to make requests to your third-party domain, however this is a bit more complicated to set up and has some security implications.

Marc Novakowski  2009-01-21 16:39:15
A: 

I would personally argue in favor of redirecting all alternate domain names to a common domain name. It's just simpler that way.

Randolpho  2009-01-21 16:44:10
It might be simpler technically, but perhaps not politically. I was looking for a technical solution that, although more complicated and less elegant than the trivial solution, still works without conflicting with structural and design directives.
David Hanak  2009-01-21 17:33:24
+2  A: 

I would look at a server-side solution, creating a common database that all sites can access. When the user logs in, generate a time-sensitive, IP-keyed token that can be passed from site to site either in GET or POST. Then, validate each request on token, IP, and time. The combination of the three will resolve most security concerns.

Jekke  2009-01-21 16:53:39
Yes, that could work. I was hoping I could avoid database access. Well, one can't have everything!
David Hanak  2009-01-21 17:39:34
A: 

If the domains don’t share a higher level domain (like foo.example.com and bar.example.com have the same second level domain example.com), there is – or better: there should be – no way of sharing cookies.

Gumbo  2009-01-21 17:42:10
A: 

you could also use cookie with the IP address, but then domains won't be used in any way.

dusoft  2009-01-21 19:47:33
Not if the address the page is downloaded from contains the domain name, and not the raw IP.
David Hanak  2009-01-21 21:04:57

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?