PHP Cookies for multiple Domains

Question

I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not designed to be accessible for other domains. For example I have set a cookies variable $user_email from domain www.firstdomain.com and want to access it in other domains like www.seconddomain.com, www.thirddomain.com etc. May be this can be done using PHP or JavaScript. Any idea please.

Thank you!

Answer 1

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com". Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response.

read up here.

you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).

you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.

This could look like so.

xss.php (located on cookies.example.com):

<?php
$data = array(
'uid' => $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));

for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.

another website embeds xss.php:

<iframe id="cookies" src="http://cookies.example.com/xss.php"></iframe>

you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.

if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
 // read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.
}

this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.

a probably better way would be some sort of token exchanging protocol like openid.

amazon uses this too.

you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.

Answer 2

As you have already said, a cookie can only be set for a domain from that domain (including its subdomains). And if your domains do not share a common superdomain, you need set each cookie for each domain separately.

You can do this with a script that on each domain that sets the cookie for you. But make sure to authenticate requests to these scripts so that only you can set the cookies.