Cookies - set across multiple domains

javascript jquery cookies setcookie

56,318

Solution 1

Create a common domain specifically for your cookies and use it as a getter/setter API.

http://cookie.domain.com/set/domain1
http://cookie.domain.com/get/domain1

http://cookie.domain.com/set/domain2
http://cookie.domain.com/get/domain2

and so on.

Solution 2

This answer is a slightly different version of my answer on the question "Set cookie on multiple domains with PHP or JavaScript".

Do what Google is doing. Create a PHP (or any other server language file) file that sets the cookie on all 3 domains. Then on the domain where the login is going to be set, create a HTML file that would load the PHP file that sets cookie on the other 2 domains. Example:

<html>
 <head></head>
 <body>
 Please wait..........
 <img src="http://domain2.com/setcookie.php?user=encryptedusername"/>
 <img src="http://domain3.com/setcookie.php?user=encryptedusername"/>
 </body>
</html>

Then add an onload callback on body tag. The document will only load when the images completely load that is when cookies are set on the other 2 domains. Onload Callback :

<head>
 <script>
 function loadComplete(){
  window.location="http://domain1.com";//URL of domain1
 }
 </script>
</head>
<body onload="loadComplete()">

Now cookies are set on the three domains.

Source

Solution 3

Include a script tag from domain2 that sets the cookie using a username and hashed password:

<script type="text/javascript" src="http://domain2.com/cookie_login_page.php?username=johnsmith&hash=1614aasdfgh213g"></script>

You can then check to ensure that the hashed passwords match (one way).

Key points:

Make the hashes in the URL time sensitive by appending a timestamp that will be agreed upon by the server (for example, 16:00, 16:10, etc) before hashing the string. If you're using HTTPS this is less of an issue.
If your passwords are already hashed, it wont hurt to double-hash the passwords assuming the salts are the same on both servers.

Sample PHP code:

src:

<script type="text/javascript" src="/cookie_login_page.php?username=<?php echo $username; ?>&hash=<?php echo md5($password . date('H')); ?>"></script>

dest:

<?php 

$password = get_password($_GET['username']);
if($_GET['hash'] == md5($password . date('H')) {
    // set the cookie
}

Solution 4

For security reasons, sites cannot set or retrieve cookies on other domains. Scripting the form submit via javascript is likely the easiest to do, and will still store the cooikes you need in the browser cache.

View more solutions

56,318

Author by

ClarkeyBoy

I am currently developing a website in VB.Net with CSS/SASS, JQuery and JQuery UI for Heritage Art Papers Ltd which achieved 66% as my final year project at university.. It was the dissertation which let me down.. The website has a full administration frontend for editing what end users see on the customer frontend. My aim over the period I am working on it is for administrators to eventually be able to add and remove attributes for specific types of item (that is: Range, Collection, Design, RangeCollection, CollectionDesign and RangeCollectionDesign [the final product with a product code]). They will then be able to reference these in the item template for the catalogue by using square brackets. Over time the system should become very sophisticated, and should log all actions (big or small) and highlight the important ones to admin - for example hacking attempts. I know CSS/SASS, HTML (obviously), ASP, ASP.Net (VB), PHP (a bit), Java (a bit) and JQuery/JQuery UI. I would like to learn C++ or C#, but to be honest I just dont have the time at the moment. I have just started work for StepStone Solutions in Luton, as an Application Developer. Loving the job so far, having just finished my 2nd week.

Updated on October 27, 2020

Comments

ClarkeyBoy over 3 years
My company has a setup as follows:
- subdomain1.domain1.com
- subdomain2.domain1.com
- subdomain3.domain1.com
- subdomain4.domain1.com
- subdomain5.domain1.com
- subdomain6.domain1.com
- subdomain1.domain2.com
- subdomain2.domain2.com
- subdomain3.domain2.com
- subdomain4.domain2.com
- subdomain5.domain2.com
- subdomain6.domain2.com
On each site, bearing in mind there can be a hundred sites per subdomain, users can log in. We, as developers, have to test frontends across several browsers, but some work may only be required on a section once logged in.

I have written a userscript which enables us to save a username and password (and other details which I cannot mention because of confidentiality). The script checks to see if the user account exists by filling in the login form and clicking the submit button. If not, it registers for us - thus automating the registration process.

Sharing cookies between subdomains on the same domain is easy. If I am on subdomain1.domain1.com I can save a cookie which can be retrieved by subdomain2.domain1.com. However, I would also like to save these for domain2. I do not appear to be able to get this to work.

I can see two solutions from here - either:

1) attach an iFrame using the userscript, which loads a site on domain2. This then uses the querystring to decide what to set to what, or;

2) use a form with method="POST", and simply post to a file on each domain.

Either way will be resource intensive, particularly if the cookies are updated each time a cookie changes. We also have URL masking in place. So we'd also have to take into account sites like abc.clientdomain1.com, abc.clientdomain2.com etc.

Does anyone know of an easier way to do achieve this?
ClarkeyBoy over 12 years

Unfortunately that was what I feared; it's gonna be a lot of work but I think it would be very rewarding to implement this. I will wait and see if anyone else has found an easier way to do this before I go accepting this answer.
ClarkeyBoy over 12 years

This sounds like it would do - not sure whether to go for this or if a form would be simpler to implement, on the basis that I am aiming to finish this within a week.
chanchal118 almost 8 years

How do i find out Google is doing this thing?
Subin over 6 years

@chanchal118 Inspect the page with developer tools while logging in to your Google account
skaldesh almost 6 years

I know this is really old, but could you elaborate on this answer? How does it work?
AlienWebguy almost 6 years

@BastiSkaldendudler it simply removes the browser's url from the cookie policy so the browser only ever knows about cookie.domain.com when dealing with the cookies. Basically approach it like you would an ad marketing network where you want shared cookies to be tracked across domains.
Silly Dude almost 4 years

Hi Subin, what problem is Google trying to solve, or what purpose do they try to a achieve, by using this technique?
Subin almost 4 years

@SillyDude When user logs into Google, it will login the same user on non .google.com domains such as youtube.com. I think they still use this, found it in page source while loggin in to Google iirc
Hritik over 2 years

This is so wrong in so many ways. 1) If you have an endpoint that consumes a double hashed password and a php script to output a single hashed password then you're no better than keeping the passwords unhashed. As even if the single hashed password database is leaked, the endpoint consuming double hash will still be usable. 2) Essentially, you're asking to relogin the user on a different endpoint using a <script> tag based GET request