Cookies over multiple domains

Anon

I have a problem.
I have 2 secure domains and i want to be able to share my cookies between the sites.

Is this possible? How do i do it?

I set my cookie on one secure page and a link on that site takes you to a new site where i want to be able to read the stored cookie...

Thanks for any help you can give me!
/Daniel

hiasl

Hi!

This is generally not possible, since cookies are always limited to one domain, because of privacy and blabla...

However if it's always the same page that you leave the first site from and enter the second page you could write some kind of cookie transfer script, e.g.:

Cookie Site A: UniqueID = ABCDEF123456

Link from A to B: http://SiteA/page.php4??UniqueID=ABCDEF123456

On the Site B retrieve the get-value and set the cookie again. You can propably access the first site's db from the second site to have continuing information.

regards,
Matthias

Anon

isn't that a security risk , since now i know the link and can create (UniqueID) cookies on site B's domain, all a hacker must now understand the algorithm for the unique id and he can access site B.

hiasl

Well, I don't think so:
1.) It's not so difficult to get the UniqueID out of the HTTP header (when it's set), therefor you can get the cookie value and try to detect the algorithm. That means there is not such a big difference concerning security compared to the get variable.

2.) Normally the UniqueID with its creation algorithm is not the key to your site, but it's a reference to your temporary login information in a db or something. That means that being capable of creating cookies does not mean you can access the site. Only if there's a db entry with your login details corresponding to that cookie, you get access.

3.) What might be a problem is fetching someone else's cookie, transmitting it to site b and get access with the other persons account. However you could save an IP address together with the cookie details, that would make it harder to hijack.

ciao,
Matthias