Paid Advertising is
ha.ckers sla.cking
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
setting cookies crossdomain
Posted by: Kyo
Date: March 13, 2009 03:21PM

more of a PHP question than security, but still somehow related to security. Basically I have two domains - one that is basically an interface where users can control their sites and whatever, and then a domain with the sites itself - containing HTML. Right now I have the users logged in on the html-less site and not on the other, but I'd like to have them logged in on the other as well. There would be no "real" sensitive data exposed and no control. Basically just a control that lets them know which comments they can edit and what they voted.

Now if I want to do this, there are two questions:
1) how do I authenticate them? just a cookie with a user id? Nothing sensible exposed and no way of doing anything with it, so it's not a problem from the "remote logging in" side, but maybe some users don't want their votes exposed, and it could be used for site-creators to track who's been on their site. I could make it session based, but the session wouldn't last as long as the cookie set to keep the user logged in. I guess maybe some kind of verification string that changes with every login for a user.

But more importantly
2) How do I set the cookies on that domain? I can't find a solution that is not incredibly dirty. Iframes? Javascript? redirects?

Any ridiculously obvious solutions I'm missing here?

Options: ReplyQuote
Re: setting cookies crossdomain
Posted by: bd808
Date: March 21, 2009 07:49PM

So you are trying to accomplish:
client -> -> login -> auth cookie for

No sane browser will accept a cookie sent by * to be resent to * There are things however that can be done that aren't to convoluted. Assuming you aren't barred from running some scripts on, the simplest thing may be a redirect through a page at to set the domain cookie following the initial authentication at Conceptually something like this:

1) client sends user/pass to
2) validates credentials
3) http redirect to and set auth cookie for domain
4) client follows redirect to
5) http redirect to and set auth cookie for domain
6) client follows redirect to
7) login success screen

A tricky part here will be protecting the authenticated user data that is exposed in the redirect from to Assuming that you can't do anything as easy as validate state via a database or other shared messaging system, you'll need to use either encryption or some sort of salted hash to prevent tampering and replay attacks.

Options: ReplyQuote
Re: setting cookies crossdomain
Posted by: Kyo
Date: March 22, 2009 06:33AM

yes, is mine as well. They're on the same host so they share all the info, so a shared database is available, but has user-generated HTML, so it should not have cookies that are of value to an attacker.

I've thought about doing this per XMLHttpRequest. Seems clean and efficient. Your solution is not too bad of an idea either, that leaves just the question of the cookie.
I could either take the pussy way out and just have it a userid, since no real sensitive data is on Making the auth cookie IP-dependent isn't too good of an idea, because that would make their authentication last shorter than the one on the main site.

Options: ReplyQuote

Sorry, only registered users may post in this forum.