sharing cookies

Anon

I\'m trying to figure out how Amazon pulls off the identification of users in its little tip-jar imbedded login stuff.

My limited understanding of cookie handling in PHP tells me that there is no way to get the cookie values of one domain from another without having the domain that set the cookie pass it to the requestor. For the Amazon tip-jar stuff, they appear to have found a way.

If anyone has any tips for this, please let me know.

[deleted]

Setting the domain is not mandatory.
It's used to stop cookies being sent all over the place, but can be left out.

If a cookie has no domain set, it get's sent with every request to any site.
That's why cookies are sometimes considered a security risk.

If amazon doesn't set a domain on the cookie, the cookie becomes available to anyone.

But, Amazon could also be setting several cookies, one for each domain that needs the cookie...

Anon

I figured some of it out.

They're are using an image imbedded in the page. This causes the browser to make an HTTP request to amazon's server, thus passing along the cookie. Amazon's URL for the image is evidently a script that dynamically builds an image to pass back to the requesting browser.

I'm still trying to figure out how exactly to do this in PHP as well as figure out how to had back a login value (in/out) to the requesting browser.