Page 1 of 1
accessing a cookie from another domain
Posted: Sat Jun 26, 2004 8:52 am
by Nay
so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?
am i making sense? =\
-Nay
Posted: Sat Jun 26, 2004 9:52 am
by feyd
Directly accessing "
http://www.gmail.com":
Code: Select all
HTTP/1.1 301 Moved Permanently
Location: http://gmail.google.com/
Set-Cookie: PREF=ID=4149330d4cddcc0e:TM=1088261472:LM=1088261472:S=uQfq_1qHkHRAYvt4; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Content-Type: text/html
Server: GWS/2.1
Content-Length: 154
Date: Sat, 26 Jun 2004 14:51:12 GMT
<HTML><HEAD><TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://gmail.google.com/">here</A>.
</BODY></HTML>
Posted: Sat Jun 26, 2004 3:14 pm
by Weirdan
Does it mean that gmail.com can set cookies for .google.com?? Or this cookie ignored by browser?
Posted: Sat Jun 26, 2004 4:16 pm
by feyd
it sets a cookie in both IE6 and FireFox 0.8
Last I read the cookie spec, you can set a cookie for any domain.. but only that domain will be allowed to read it, unless some malicious code is embedded into the browser that sends other domains' cookies..
Posted: Sat Jun 26, 2004 4:25 pm
by Weirdan
omg

. Do you realize what security threat it poses to the sites solely relying on the authentication using sessions?
Posted: Sat Jun 26, 2004 5:12 pm
by feyd
yep.. and it's been this way for years.
Posted: Sat Jun 26, 2004 7:25 pm
by Weirdan
feyd wrote:yep.. and it's been this way for years.
Man, you scared me to death

Thanks god you were simply wrong.

Such a cookie gets rejected by a browser. Just checked my browsers as well as rfc2109.
Re: accessing a cookie from another domain
Posted: Sat Jun 26, 2004 9:38 pm
by snpo123
Nay wrote:so far i've read it's not possible. i've got gmail and if i go to gmail.com i get redirected to my account at gmail.google.com/gmail. anyhow, if the cookie is set by gmail.google.com which is 'google.com' then how can 'gmail.com' read it?
am i making sense? =\
-Nay
Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?
Re: accessing a cookie from another domain
Posted: Sat Jun 26, 2004 10:27 pm
by Weirdan
snpo123 wrote:Off topic, but how do you get a gmail account right now? On gmail.google.com they say that you cant yet sign up. So how did you get an account?
From what I read gmail invitations are given randomly to the users of blogger.com
Posted: Sat Jun 26, 2004 11:58 pm
by feyd
all I know is the cookie sets for me going to gmail.com
Posted: Sun Jun 27, 2004 12:11 am
by Weirdan
Attempting to set that cookie seems to be hardcoded into GWS/2.1 (thus that cookie may be already set in your browser before you even visited gmail.com).
Posted: Sun Jun 27, 2004 2:23 am
by feyd
maybe.. except I hadn't visited google or gmail through FireFox until then.