Page 2 of 2
Posted: Sun Oct 14, 2007 6:43 am
by feyd
Another note: it's not possible to set cookies for another domain.
Posted: Sun Oct 14, 2007 7:00 am
by quilby
Whats that have to do with anything?
How is the db gonna know what to select if it does not know anything about the user?
Posted: Sun Oct 14, 2007 10:38 am
by Josh1billion
quilby wrote:Whats that have to do with anything?
How is the db gonna know what to select if it does not know anything about the user?
You could store the user's IP address in a database.. other than that, I dunno.
This isn't for malicious purposes now, is it?

Like having a site that reads someone's ebay.com cookies.. heh.
Posted: Sun Oct 14, 2007 11:16 am
by RobertGonzalez
You are not going to get what you want out of this. IP are horribly unreliable. Cookies are not cross-domain capable.
There are projects in the works that would allow for single sign-on type access across the web, but using a cookie is not going to work for you I'm afraid.
Posted: Sun Oct 14, 2007 12:52 pm
by quilby
My aim here is not to steal someones cookies from ebay or bank account. I just want it so that the users dont have to log in to my websites every time the go from one domain to another.
I did think about using IPs, but whenever the user reconnects to the internet it would change and so it would be very unreliable.
Everah, what projects are you talking about? I know of OpenID, but is there anything similar?
Posted: Sun Oct 14, 2007 2:42 pm
by superdezign
If the user is not required to login, then you need to create some sort of way of determining which user is which. Why you would want all of your users to be anonymous is beyond me, but you need to create some sort of unique id for each user that you transfer via POST / GET requests from one domain to another and save to their sessions, which allows you to have some sort of middle ground for multiple domains to access in your database.
Of course, you could simplify that with user accounts.
Posted: Sun Oct 14, 2007 3:15 pm
by RobertGonzalez
Just understand that GET/POST data is even more easily manipulated than cookies and are, hence, very unreliable.
Posted: Sun Oct 14, 2007 9:38 pm
by ASDen
i think if you do own site1.com and site2.com you can do this little trick (i haven't tested just an idea ) :-
when the user log's in site1.com redirect him to a script in site2.com that takes data from site1.com puts cookies and then redirects to site3.com with the script or redirects back to site1.com
test this i think in theory it should work
Posted: Sun Oct 14, 2007 9:51 pm
by Kieran Huggins
how about:
site1 has auto login cookies saved.
site2 redirects to site1.
site1 redirects back to site2 with a time-sensitive key (via a browser POST).
site2 submits the key directly (not through the browser) to site1, who compares the hash to the original, then returns the session details.
Secure....ish, though I wouldn't bet the farm on it.
Posted: Mon Oct 15, 2007 11:12 am
by quilby
Thanks ASDen and Kieran Huggins, Ill see what I can do with what you said.
BTW, what I want to do is make it so that a user goes on site1.com and enters some of his details (like name, age, occupation- nothing secret/sensitive) and then when he goes to site2.com, site3.com, and site4.com (which dont trust each other- meaning I will have to use a widget or something like that), those sites automatically know his details. I wanted to make this is much hassle-free as possible, so the first thing that came to mind was storing a cookie. Now that I understand that cookies cant be stored for cross-domain usage it looks like the only option is having the user log in or enter a UID on every site that he goes to. Maybe you guys can think of a better alternative.
Thanks!
Again, I do not have ownership of the sites and can only put a couple of lines of code (a widget) on every site. No SQL queries on site2.com site3.com and so on.
Posted: Mon Oct 15, 2007 12:37 pm
by shannah
I use CAS (Central Authentication Service) for this. It is a standard developed at Yale, but is being used all over the place. It uses the same strategy as discussed above.
http://www.ja-sig.org/products/cas/
This is an implementation of a server written in Java, however the standard is open so you can get client libraries for about every major language. The PHP CAS client can be found at
http://esup-phpcas.sourceforge.net/
May seem overkill at first, but it is handy when your network starts to grow beyond a single site or technology and you want people to be able to login once.
-Steve
Posted: Wed Oct 31, 2007 10:53 am
by quilby
Hi again!
If you read this article
http://www.techcrunch.com/2007/10/30/fa ... ow-so-far/
you will see that it says the following:
SocialAds will be an attempt to be like Google’s AdSense, except that it will allow ads to be targeted to Facebook members’ individual interests and profile data rather than the text on a given Web page. This targeting will be done by placing cookies on Facebook members’ browsers when they visit the social site, so that they can be identified later when they visit other sites hosting SocialAds.
This is exactly what I want to do... I want to put a cookie in a users web browser so that when he vists one of my other sites I will be able to see that info, which is what facebook is doing.
So.... How do I do it?
Posted: Wed Oct 31, 2007 12:08 pm
by RobertGonzalez
Specifications on cookies wrote: domain=DOMAIN_NAME
When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
Posted: Wed Oct 31, 2007 12:38 pm
by Kieran Huggins
That facebook app is using an iframe to display the content. Therefore, facebook does not have access to that cookie, only the site loaded in the iframe does.
make sense?