How do I use cookies across two different domains?

Question

I need to share SSO information between two different domains with a cookie, can this be done in PHP and how?

Answer 1

On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.

It's a little complex to carry out correctly, but if you think it through it'll work out very well.

Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.

-Adam

Answer 2

You don't, cookies are bound to a domain. There are restrictions on this and it's referred to as cross site scripting.

Now, for some help to your problem. What you can do is create a script that helps bridge them.

You can globally rewrite all links to your second site are going to need cookie information from the first site.

You would save all the cookies from site-a to a database that they both can read, then programatically appending the cookie-id querystring on all of the links to site-b, then you lookup that cookie id and re-set the cookies under the new domain.

There is a really good PHP database abstraction library (PHP ADODB) and it has a session sharing plugin that makes all of this a whole lot easier.

Answer 3

I'm not sure about the security implications, but there is an Apache setting that allows you to change the domain of a cookie.

# in httpd.conf (or equivalent)
php_value session.cookie_domain mydomain.com

I have successfuly employed this method for subdomains, but have never attempted for different domains.

There is also a method to set the variables direction in PHP described at http://us.php.net/manual/en/function.session-set-cookie-params.php. The documentation makes no reference to the ability or inability to set cookies on a different domain.

There is a different Stack Overflow thread on this same topic, but I don't think it was ever sufficiently answered.