Cookies - set across multiple domains

Question

My company has a setup as follows:

• subdomain1.domain1.com
• subdomain2.domain1.com
• subdomain3.domain1.com
• subdomain4.domain1.com

Answer 1

As stated by others, you can't access cookies across domains. However, if you have control of the server code, you can return information in the body, and allow your client to read and store that information per server.

In my case, I'm connecting a single client to multiple servers, maintaining an authenticated connection to each one. I need to know when the session for each one is going to expire, so the authentication service returns the cookie, plus it modifies the body of the response to send the relevant data back, so that I can read that data and set my own cookies.

By doing this, I can manually track what I need. Won't work in every scenario, but might for some like me.

Answer 2

For security reasons, sites cannot set or retrieve cookies on other domains. Scripting the form submit via javascript is likely the easiest to do, and will still store the cooikes you need in the browser cache.

Answer 3

Create a common domain specifically for your cookies and use it as a getter/setter API.

http://cookie.domain.com/set/domain1
http://cookie.domain.com/get/domain1

http://cookie.domain.com/set/domain2
http://cookie.domain.com/get/domain2

and so on.

Answer 4

This answer is a slightly different version of my answer on the question "Set cookie on multiple domains with PHP or JavaScript".

Do what Google is doing. Create a PHP (or any other server language file) file that sets the cookie on all 3 domains. Then on the domain where the login is going to be set, create a HTML file that would load the PHP file that sets cookie on the other 2 domains. Example:

<html>
 <head></head>
 <body>
 Please wait..........
 <img src="http://domain2.com/setcookie.php?user=encryptedusername"/>
 <img src="http://domain3.com/setcookie.php?user=encryptedusername"/>
 </body>
</html>

Then add an onload callback on body tag. The document will only load when the images completely load that is when cookies are set on the other 2 domains. Onload Callback :

<head>
 <script>
 function loadComplete(){
  window.location="http://domain1.com";//URL of domain1
 }
 </script>
</head>
<body onload="loadComplete()">

Now cookies are set on the three domains.

Source

Answer 5

Include a script tag from domain2 that sets the cookie using a username and hashed password:

<script type="text/javascript" src="http://domain2.com/cookie_login_page.php?username=johnsmith&hash=1614aasdfgh213g"></script>

You can then check to ensure that the hashed passwords match (one way).

Key points:

1. Make the hashes in the URL time sensitive by appending a timestamp that will be agreed upon by the server (for example, 16:00, 16:10, etc) before hashing the string. If you're using HTTPS this is less of an issue.

2. If your passwords are already hashed, it wont hurt to double-hash the passwords assuming the salts are the same on both servers.

Sample PHP code:

src:

<script type="text/javascript" src="/cookie_login_page.php?username=<?php echo $username; ?>&hash=<?php echo md5($password . date('H')); ?>"></script>

dest:

<?php 

$password = get_password($_GET['username']);
if($_GET['hash'] == md5($password . date('H')) {
    // set the cookie
}