How about this solution for cross domain set cookie?
Date: May 24, 2012 03:21AM
There are 2 domain using the same cookie pair(uid & sid) for authenticate user:
www.logger.com
www.logspot.com
uid was to identify a user, and sid was to authenticate him.
Suppose most of the user will login via www.logger.com, and the browser will set the cookie:
Set-Cookie: uid=15732; PATH=/; DOMAIN=logger.com;
Set-Cookie: sid=FupX5px7X; PATH=/; DOMAIN=logger.com;
And when the user click a hyper link in www.logger.com to jump to www.logspot.com/index.html, I don't want that user input his uid and password again.
I wrote a script which place in www.logger.com (http://www.logger.com/get_sid.php):
<?php
header("Content-Type: application/x-javascript");
if (isset($_COOKIE["uid"]) && isset($_COOKIE["sid"])) {
echo "document.cookie = 'uid=" . $_COOKIE["uid"] . "; path=/; domain=logspot.com;';\n";
echo "document.cookie = 'sid=" . $_COOKIE["sid"] . "; path=/; domain=logspot.com;';\n";
} else {
echo "void(0);";
}
?>
And then, I put this script inside www.logspot.com/index.html:
<script src="http://www.logger.com/get_sid.php">
I have try that this script can set the cookie for www.logspot.com.
I have try to JSON-Hijacking this script, but I failed.
Do you think this solution is safe to use?
