cookie problem. i am dying.

miked44

Hi,

I'm running several domains off the one server, using domain pointers.

e.g. /public_html/bleh = www.bleh.com
/public_html/blah = www.blah.com

Although they are two different sites, in look and feel they appear to be the same, and they use the same cookie, and i want a user to stay logged in when going from one site to the other.

i thought this would work just by adding the "/" in the path field of the setcookie() function, but it would appear not.

Any ideas?

Thanks in advance,
Mike

enterume

sad to say, cookie can only serve a domain, can't be shared between 2 website.

Correct me if i am wrong.

Thanks
Louis

miked44

well it works fine if i just use the master domain...

i.e. www.master.com/bleh
will share the cookie properly with www.master.com/blah... so that is effectively two different websites, but when i use the actual domain names it doesn't work!?!?

sid

i would like to agree with enterume - dont think that works...

the case in your fist and the 2nd post is a lot different. try entering "www.master.com" as cookie parameter - im not positive that itll work, but give it a shot.

miked44

so it's not possible to set the i.p address as the domain field? as all domains share the same i.p address.

enterume

yes mike, it is impossible to do that.

unless you are putting somehting like www.master.com/bleh and www.master.com/blah, which the domain is register under the master domain.

I tried to do it some times ago, but couldn't find out how. unless, you using virtual domain which is bleh.master.com and blah.master.com , then you able to share the cookie.

THanks
Louis

miked44

well, how would MS work their passport system, any site that you go to knows that you are signed into passport and automatically logs you in, how would that work?

dannys

That's because all passport sites will redirect to the passport mothership at somepoint.

MrAlaska

Gosh, DoubleClick plants cookies all over the internet! I don't see why you shouldn't be able to do this. Why can't you cycle through all the cookies on the client and look for ones matching your other domains, then use the info to log them in on the present domain?

I am just thinking out loud, having never had the need to do this, but I don't see why it can't be done.

dannys

Why can't you cycle through all the cookies on the client and look for ones matching your other domains, then use the info to log them in on the present domain?

Because then I could cycle through and request the cookies for yahoo.com, passport.com etc

frigidman

Its a security issue more than ease of use for web developers. You basically cannot set a cookie for another domain that the cookie is not originating from.

Like if you were on "www.blah.com" and a cookie was set from that server to only be returned to "www.ickypoo.com", MOST browsers will not accept the cookie as its for another domain than what was originating from.

You CAN set that... but the 'take' factor is a crapshoot, and you never know if it will work for everyones browser, since its sort of 'taboo'.

Also, another bit of information... the SERVER doesnt root around in a web browsers cookies. The WEB BROWSER sends the cookie along with the request to the server. The web browser has to know to send the cookie, by the definition data in the cookie. If the web browser originally accepted the cookie to be sent to domains "www.ickypoo.com", then it will send that cookie when it goes to anything under "www.ickypoo.com". It wont send that cookie to "www.yahoo.com" or "www.blah.com" since thats not where its directed to send.

Of course, thats IF the browser accepted the cookie to begin with.

Banner ads, doubleclick, etc etc set cookie through the use of images. You can set a cookie on an image request, and if you request an image from "www.ickypoo.com" and a cookie is sent along with the image, then the web browser will blindly accept it (ifthe user is accepting cookies at all), because the cookie CAME from that domain to be returned to that domain.

SO, if you are intent on cookies, you could make hidden image calls to all your domains to set a cookie for that domain. I actually did this with a system I created a while back called "Evihcra" (now known as Fileball.net)... because all websites under evihcra had their own domain... but were ALL using the same tool set and needed the user logged into one on all sites. I ended up ditching that with fileball and just making each site a sub dir under the fileball.net name (much easier, and less flaky with people who turn off cookies altogether).

ANYHOW... thats all food for thought...

nightowl

There is a good article about this whole thing on this site. Look at the logging section of the articles and especially to the articles of Tim Perdue which are all among the most interesting on this site ...

http://www.phpbuilder.com/columns/tim19990130.php3

There is the revisited version available too ...

MrAlaska

Originally posted by dannys
Because then I could cycle through and request the cookies for yahoo.com, passport.com etc [/B]

So ignore those cookies and look for your own. You can't get other domain's cookies sent in the header but you can still read the text in cookies that don't belong to you. Since you know how you formatted the values you put in your cookies on the other domain, or you can send the variables pre-pended and appended with string information that makes them easier to parse, I don't see why you can't then parse them out and log the user in to the present domain, then plant your own cookie. Perhaps I am missing something?

frigidman

Originally posted by MrAlaska
So ignore those cookies and look for your own. You can't get other domain's cookies sent in the header but you can still read the text in cookies that don't belong to you. Since you know how you formatted the values you put in your cookies on the other domain, or you can send the variables pre-pended and appended with string information that makes them easier to parse, I don't see why you can't then parse them out and log the user in to the present domain, then plant your own cookie. Perhaps I am missing something?

LOL... yeah... "but you can still read the text in cookies that don't belong to you" :rolleyes:

Gee, how do you do that when the cookie isn't sent in the request to the server... Are you saying, have the server hack into a users browser and dig for cookie data? Heheheheh... cough

I think his issue is that one domain does not send a user over to the other domain... so he can't simply add the information in the URL for the other domain (ie the phpsessid).

He's having the problem where users could be on one, then end up on the other through other means, but it needs to use the same user login since both domains share the same code/user base... I think.

Either way ... you cannot read cookie data for a cookie that is not sent to the web server by the web browser, it simply doesnt exist for php to read.

MrAlaska

When I was in Java class I remember having fun looping through all the cookies, but I can't find the code we were using. I dunno, maybe we were exploiting a security hole or something. Everything I can find indicates that it is impossible to read the text of other domain's cookies, so it would appear I was two miles to the left of wrong.

Microsoft talks about reading third party cookies and how they set up their passport system on this page:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ppsdk14/Implementation/p3p.asp
The references they make for explicitely setting up cookies to for third party browsing may only relate to IE. Who knows with them.