PHP Cookies for multiple Domains

Question

I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not d

Answer 1

I ve done some scripts to handle multi domain cookie :

https://code.google.com/p/mudoco/

Answer 2

if you want to access cookie within different domains so this can be done with the help of javascript trick. As cookie can be accessed within same domain.

1. Create cookie on user’s browser using JavaScript on your first domain.

2. Set the name of the window to whatever value of cookie you want to carry to another domain by using window.name.

3. Step 2 should be performed on every page of the domain which has created the cookie. It could be easily by calling a JavaScript file on all pages.

4. When you move to another domain, and want to access the above mentioned cookie value, access it by using window.name as window has not changed.

5. Create new cookie on this domain and assign this value to it.

Answer 3

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com". Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response.

read up here.

you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).

you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.

This could look like so.

xss.php (located on cookies.example.com):

<?php
$data = array(
'uid' => $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));

for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.

another website embeds xss.php:

<iframe id="cookies" src="http://cookies.example.com/xss.php"></iframe>

you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.

if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
 // read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.
}

this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.

a probably better way would be some sort of token exchanging protocol like openid.

amazon uses this too.

you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.

Answer 4

As you have already said, a cookie can only be set for a domain from that domain (including its subdomains). And if your domains do not share a common superdomain, you need set each cookie for each domain separately.

You can do this with a script that on each domain that sets the cookie for you. But make sure to authenticate requests to these scripts so that only you can set the cookies.

Answer 5

I had solved exactly same problem (actually also for 4 domains). The only solution I've came up with was, to include 3 hidden iframes on the 'Successful login page' and those iframes just load www.domain1.com/register_session.php, www.domain2.com/register_session.php, etc....

As a parameter for register_session.php I use 'sid' which contains session ID:

session_id($_GET['sid']);
session_start();

This is actually for keeping session alive on all those domains but the same would be for your case with cookies.