Page 1 of 1

accessing a cookie from another domain

Posted: Sat Jun 26, 2004 8:52 am
by Nay
so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?

am i making sense? =\

-Nay

Posted: Sat Jun 26, 2004 9:52 am
by feyd
Directly accessing "http://www.gmail.com":

Code: Select all

HTTP/1.1 301 Moved Permanently
Location: http://gmail.google.com/
Set-Cookie: PREF=ID=4149330d4cddcc0e:TM=1088261472:LM=1088261472:S=uQfq_1qHkHRAYvt4; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Content-Type: text/html
Server: GWS/2.1
Content-Length: 154
Date: Sat, 26 Jun 2004 14:51:12 GMT

<HTML><HEAD><TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://gmail.google.com/">here</A>.
</BODY></HTML>

Posted: Sat Jun 26, 2004 3:14 pm
by Weirdan
Does it mean that gmail.com can set cookies for .google.com?? Or this cookie ignored by browser?

Posted: Sat Jun 26, 2004 4:16 pm
by feyd
it sets a cookie in both IE6 and FireFox 0.8

Last I read the cookie spec, you can set a cookie for any domain.. but only that domain will be allowed to read it, unless some malicious code is embedded into the browser that sends other domains' cookies..

Posted: Sat Jun 26, 2004 4:25 pm
by Weirdan
omg 8O. Do you realize what security threat it poses to the sites solely relying on the authentication using sessions?

Posted: Sat Jun 26, 2004 5:12 pm
by feyd
yep.. and it's been this way for years.

Posted: Sat Jun 26, 2004 7:25 pm
by Weirdan
feyd wrote:yep.. and it's been this way for years.
Man, you scared me to death :x Thanks god you were simply wrong. :) Such a cookie gets rejected by a browser. Just checked my browsers as well as rfc2109.

Re: accessing a cookie from another domain

Posted: Sat Jun 26, 2004 9:38 pm
by snpo123
Nay wrote:so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?

am i making sense? =\

-Nay
Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?

Re: accessing a cookie from another domain

Posted: Sat Jun 26, 2004 10:27 pm
by Weirdan
snpo123 wrote:Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?
From what I read gmail invitations are given randomly to the users of blogger.com

Posted: Sat Jun 26, 2004 11:58 pm
by feyd
all I know is the cookie sets for me going to gmail.com

Posted: Sun Jun 27, 2004 12:11 am
by Weirdan
Attempting to set that cookie seems to be hardcoded into GWS/2.1 (thus that cookie may be already set in your browser before you even visited gmail.com).

Posted: Sun Jun 27, 2004 2:23 am
by feyd
maybe.. except I hadn't visited google or gmail through FireFox until then.