accessing a cookie from another domain

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
Nay
Forum Regular
Posts: 951
Joined: Fri Jun 20, 2003 11:03 am
Location: Brisbane, Australia

accessing a cookie from another domain

Post by Nay »

so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?

am i making sense? =\

-Nay
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Directly accessing "http://www.gmail.com":

Code: Select all

HTTP/1.1 301 Moved Permanently
Location: http://gmail.google.com/
Set-Cookie: PREF=ID=4149330d4cddcc0e:TM=1088261472:LM=1088261472:S=uQfq_1qHkHRAYvt4; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Content-Type: text/html
Server: GWS/2.1
Content-Length: 154
Date: Sat, 26 Jun 2004 14:51:12 GMT

<HTML><HEAD><TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://gmail.google.com/">here</A>.
</BODY></HTML>
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Does it mean that gmail.com can set cookies for .google.com?? Or this cookie ignored by browser?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it sets a cookie in both IE6 and FireFox 0.8

Last I read the cookie spec, you can set a cookie for any domain.. but only that domain will be allowed to read it, unless some malicious code is embedded into the browser that sends other domains' cookies..
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

omg 8O. Do you realize what security threat it poses to the sites solely relying on the authentication using sessions?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yep.. and it's been this way for years.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

feyd wrote:yep.. and it's been this way for years.
Man, you scared me to death :x Thanks god you were simply wrong. :) Such a cookie gets rejected by a browser. Just checked my browsers as well as rfc2109.
User avatar
snpo123
Forum Commoner
Posts: 77
Joined: Sat Apr 17, 2004 6:31 pm

Re: accessing a cookie from another domain

Post by snpo123 »

Nay wrote:so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?

am i making sense? =\

-Nay
Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: accessing a cookie from another domain

Post by Weirdan »

snpo123 wrote:Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?
From what I read gmail invitations are given randomly to the users of blogger.com
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

all I know is the cookie sets for me going to gmail.com
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Attempting to set that cookie seems to be hardcoded into GWS/2.1 (thus that cookie may be already set in your browser before you even visited gmail.com).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

maybe.. except I hadn't visited google or gmail through FireFox until then.
Post Reply