Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cross domain cookies

Tags:

authentication

php

cookies

single-sign-on

I have a small problem.

How do I set a cookie for multiple domains?

I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.

ie.

account.domain.com will need to set domain logged in for:

domain.com, domain1.com, domain2.com.

Is there any easy way, using PHP and cookies, or any alternatives?

like image 243
bear Avatar asked Jul 05 '09 14:07

bear

People also ask

Can cookies be cross domain?

There's no such thing as cross domain cookies. You could share a cookie between foo.example.com and bar.example.com but never between example.com and example2.com and that's for security reasons.

Can you share cookies between domains?

To share a cookie between domains, you will need two domains, for example myserver.com and slave.com . One of the domains will issue the cookies and the other domain will ask the first domain what cookie should be issued to the client.

What are cross site cookies?

Cross-site cooking is a type of browser exploit which allows a site attacker to set a cookie for a browser into the cookie domain of another site server .

2 Answers

There is absolutely no way for domain.com to set a cookie for domain1.com. What you are attempting to do can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.

Then you need a way for each domain to verify the user's identity. There are two approaches to this:

  1. Back channel - the sites contact each other directly to determine if a user is logged in.
  2. Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.

It's really quite complicated. I suggest you don't roll your own. Take a look at SimpleSAMLPHP for a PHP implementation of what I'm describing.

like image 184
Andrew Strong Avatar answered Sep 24 '22 09:09

Andrew Strong

What you're attempting can't be done. (It's a browser security issue, not a PHP one.)

Other than using some form of off-site authentication, the nearest you can achieve is making a cookie accessible across sub-domains, in which case you just use the optional 'domain' arg of PHP's set_cookie function.

like image 34
John Parker Avatar answered Sep 22 '22 09:09

John Parker
Sign in to Comment

Related questions

Is code after header("Location: ...) executed?
UTF8 Encoding problem - With good examples
PHPUnit output causing Zend_Session exceptions
PHP Include for HTML?
What is the safest way of passing arguments from server-side PHP to client-side JavaScript [duplicate]
PHP Iterate through $_POST and use values by name
How to autoload Guzzle in Laravel 4?
Laravel multiple tables per migration
Access a JavaScript variable from PHP
laravel querybuilder how to use like in wherein function
MYSQL 8.0 - unsupported redo log format
Does function definition order matter?
In which order are objects destructed in PHP?
SQLSTATE[HY093]: Invalid parameter number: number of bound variables does not match number of tokens on line 102 [closed]
Notice: Trying to get property of non-object error
What does ClassName::class mean in PHP? [duplicate]
Slim - How to send response with "Content-Type: application/json" header?
What is the usage of repositories and interfaces in Laravel?
Zend_Session / Zend_Auth randomly throws Error Message ps_files_cleanup_dir: opendir(/var/lib/php5) failed: Permission denied (13)
Binding params for PDO statement inside a loop

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!