crossdomain cookies

sophistikat

I'll try to make this short and to the point.

I am working with a company to build a bunch of components which will be included into another website (www.domainA.com) using iframes. Our components access own database on our server (www.domainB.com).

The main site (www.domainA.com) is using a SSO application which uses cookies to define/validate a user. Any subsequent pages will need to access these cookies to ensure the user is logged in.

I will need access to those cookies within the iframes to ensure users can interact with them, but again, these components are within a different domain (www.domainB.com)

My question to you is;
Can it be done? Is it safe?

Another idea we threw into the hat was for the main site (www.domainA.com) to pass any parameters through the iframe tag; encrypting the values using hash or maybe some tokens or some other type of encryption.

What do you think? Hoping you guys can give me some advice.

Thanks.

sophistikat

Hello Friends.

I did some more reading, specifically this post http://www.phpbuilder.com/columns/chriskings20001128.php3?page=1 but unfortunately, I have no access to the first domain so this will not work for me.

Reading through some of the comments about cookies, I ran into someone making a suggestion to my 'secondary thought'. That is, have the main domain send the cookies through the iframe.

In that php script manage a post to an 1x1 iframe on domain2 and duplicate the cookie for that domain. You're set to go. (this will only work one way, which in my case is ok, cause domain1 manages the cookies and domain2 doesn't change them, just reads them)

I'll continue to do some more research (look into security and whether to use tokens/hash values)

NogDog

Yeah, as far as I know, a single given cookie can only have one domain (though you can have it work across multiple sub-domains within the same domain).

sophistikat

it looks like that's our best option right now. question for you, will get pass onto me will be sensitive information like user_id and email. is there a consensus among php developers on securing that type of info? tokens or hash values seems to the options right now. is there anything else I can look at?