Reading a cookie sent from a different server/domain
Moderator: General Moderators
- Josh1billion
- Forum Contributor
- Posts: 316
- Joined: Tue Sep 11, 2007 3:25 pm
You could store the user's IP address in a database.. other than that, I dunno.quilby wrote:How is the db gonna know what to select if it does not know anything about the user?Whats that have to do with anything?
This isn't for malicious purposes now, is it?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
My aim here is not to steal someones cookies from ebay or bank account. I just want it so that the users dont have to log in to my websites every time the go from one domain to another.
I did think about using IPs, but whenever the user reconnects to the internet it would change and so it would be very unreliable.
Everah, what projects are you talking about? I know of OpenID, but is there anything similar?
I did think about using IPs, but whenever the user reconnects to the internet it would change and so it would be very unreliable.
Everah, what projects are you talking about? I know of OpenID, but is there anything similar?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
If the user is not required to login, then you need to create some sort of way of determining which user is which. Why you would want all of your users to be anonymous is beyond me, but you need to create some sort of unique id for each user that you transfer via POST / GET requests from one domain to another and save to their sessions, which allows you to have some sort of middle ground for multiple domains to access in your database.
Of course, you could simplify that with user accounts.
Of course, you could simplify that with user accounts.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
i think if you do own site1.com and site2.com you can do this little trick (i haven't tested just an idea ) :-
when the user log's in site1.com redirect him to a script in site2.com that takes data from site1.com puts cookies and then redirects to site3.com with the script or redirects back to site1.com
test this i think in theory it should work
when the user log's in site1.com redirect him to a script in site2.com that takes data from site1.com puts cookies and then redirects to site3.com with the script or redirects back to site1.com
test this i think in theory it should work
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
how about:
site1 has auto login cookies saved.
site2 redirects to site1.
site1 redirects back to site2 with a time-sensitive key (via a browser POST).
site2 submits the key directly (not through the browser) to site1, who compares the hash to the original, then returns the session details.
Secure....ish, though I wouldn't bet the farm on it.
site1 has auto login cookies saved.
site2 redirects to site1.
site1 redirects back to site2 with a time-sensitive key (via a browser POST).
site2 submits the key directly (not through the browser) to site1, who compares the hash to the original, then returns the session details.
Secure....ish, though I wouldn't bet the farm on it.
Thanks ASDen and Kieran Huggins, Ill see what I can do with what you said.
BTW, what I want to do is make it so that a user goes on site1.com and enters some of his details (like name, age, occupation- nothing secret/sensitive) and then when he goes to site2.com, site3.com, and site4.com (which dont trust each other- meaning I will have to use a widget or something like that), those sites automatically know his details. I wanted to make this is much hassle-free as possible, so the first thing that came to mind was storing a cookie. Now that I understand that cookies cant be stored for cross-domain usage it looks like the only option is having the user log in or enter a UID on every site that he goes to. Maybe you guys can think of a better alternative.
Thanks!
Again, I do not have ownership of the sites and can only put a couple of lines of code (a widget) on every site. No SQL queries on site2.com site3.com and so on.
BTW, what I want to do is make it so that a user goes on site1.com and enters some of his details (like name, age, occupation- nothing secret/sensitive) and then when he goes to site2.com, site3.com, and site4.com (which dont trust each other- meaning I will have to use a widget or something like that), those sites automatically know his details. I wanted to make this is much hassle-free as possible, so the first thing that came to mind was storing a cookie. Now that I understand that cookies cant be stored for cross-domain usage it looks like the only option is having the user log in or enter a UID on every site that he goes to. Maybe you guys can think of a better alternative.
Thanks!
Again, I do not have ownership of the sites and can only put a couple of lines of code (a widget) on every site. No SQL queries on site2.com site3.com and so on.
I use CAS (Central Authentication Service) for this. It is a standard developed at Yale, but is being used all over the place. It uses the same strategy as discussed above.
http://www.ja-sig.org/products/cas/
This is an implementation of a server written in Java, however the standard is open so you can get client libraries for about every major language. The PHP CAS client can be found at http://esup-phpcas.sourceforge.net/
May seem overkill at first, but it is handy when your network starts to grow beyond a single site or technology and you want people to be able to login once.
-Steve
http://www.ja-sig.org/products/cas/
This is an implementation of a server written in Java, however the standard is open so you can get client libraries for about every major language. The PHP CAS client can be found at http://esup-phpcas.sourceforge.net/
May seem overkill at first, but it is handy when your network starts to grow beyond a single site or technology and you want people to be able to login once.
-Steve
Hi again!
If you read this article http://www.techcrunch.com/2007/10/30/fa ... ow-so-far/
you will see that it says the following:
So.... How do I do it?
If you read this article http://www.techcrunch.com/2007/10/30/fa ... ow-so-far/
you will see that it says the following:
This is exactly what I want to do... I want to put a cookie in a users web browser so that when he vists one of my other sites I will be able to see that info, which is what facebook is doing.SocialAds will be an attempt to be like Google’s AdSense, except that it will allow ads to be targeted to Facebook members’ individual interests and profile data rather than the text on a given Web page. This targeting will be done by placing cookies on Facebook members’ browsers when they visit the social site, so that they can be identified later when they visit other sites hosting SocialAds.
So.... How do I do it?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Specifications on cookies wrote: domain=DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact: