views:

1060

answers:

6

A recent question made me post this one.

I'm working on a set of web pages that have some very simple user login, and store the user id in a cookie. Let's say that due to certain decisions which I'm in no position to overrule, the pages use several alternate domain names. I.e., the login page uses one domain name, and the page that should be able to verify whether the user is logged in could be in another domain. Of course, in most browsers, third party cookies are disabled, so setting the userid cookies for all possible domains is out of question. AFAIK, read access is outright impossible, since neither the browser sends third party cookies to the server, nor are they accessible from javascript.

Is someone aware of a workaround, apart from redirecting all page requests to a common domain name? Both server and client side solutions are welcome.

Update 1: when I say workaround, I don't necessarily mean any means of forcing cookies through. Solutions replacing cookie based authentication are also accepted, if they are simple enough.

Update 2: the domains are not in the same hierarchy, but they all map to the same IP address.

+14  A: 

There should be no workaround. Each workaround would be considered a bug (or more correctly a security issue)

Sven Lilienthal
I would normally agree, if it weren't for the fact that I, the owner of domain A, would like to **explicitely** allow pages in domain B to read (some of) my cookies. I seen no security issue when both sites give their approval.
David Hanak
Well you could use your ip-address as your cookie-url. Would that solve your problem?
Sven Lilienthal
It would (the various domain names map to the same IP address), but frankly I don't think that's possible. Or is it?
David Hanak
Ah sorry, you are right, I think that would lead to "redirecting all page requests to a common domain name"
Sven Lilienthal
One security issue is that third-party cookies are disabled for a reason, and collusion between two domain owners doesn't affect that reason. Another is that a "return to same domain" rule is simple, while "return to same domain, or on access list" is much more complicated and insecure.
David Thornley
You could always write a rfc :-)
Sven Lilienthal
A: 

As you mentioned, you're not going to be able to do any sort of cross-domain ajax or cookie setting. The easiest way to do it would be to have the different domains redirect (or submit a form) to the next URL passing data in the URL or POST body.

You could also set up a server-side proxy to make requests to your third-party domain, however this is a bit more complicated to set up and has some security implications.

Marc Novakowski
A: 

I would personally argue in favor of redirecting all alternate domain names to a common domain name. It's just simpler that way.

Randolpho
It might be simpler technically, but perhaps not politically. I was looking for a technical solution that, although more complicated and less elegant than the trivial solution, still works without conflicting with structural and design directives.
David Hanak
+2  A: 

I would look at a server-side solution, creating a common database that all sites can access. When the user logs in, generate a time-sensitive, IP-keyed token that can be passed from site to site either in GET or POST. Then, validate each request on token, IP, and time. The combination of the three will resolve most security concerns.

Jekke
Yes, that could work. I was hoping I could avoid database access. Well, one can't have everything!
David Hanak
A: 

If the domains don’t share a higher level domain (like foo.example.com and bar.example.com have the same second level domain example.com), there is – or better: there should be – no way of sharing cookies.

Gumbo
A: 

you could also use cookie with the IP address, but then domains won't be used in any way.

dusoft
Not if the address the page is downloaded from contains the domain name, and not the raw IP.
David Hanak