Reputation: 5232
Cross-domain-cookies - a maybe new idea
My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.
Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:
<img src="www.domainB.com/?getCookie.php?sessionID=1234">
Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".
I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".
Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.
Upvotes: 22
Views: 32023
Answers (2)
Reputation: 592
I put together an NPM package to help with cross-domain cookie/localStorage usage. I know this post is a bit old, but I thought I'd share, in case anyone else needs help with this:
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
Hope this helps!
Upvotes: 2
Reputation: 1039468
This is normal, because you have control of the 2 domains. This is how most websites achieve cross domain single-sign-on by the way. But if you do not have control of the second domain you cannot read cookies from it.
Upvotes: 19
Related Questions
- JavaScript and third party cookies
- Cookies on cross domain requests
- Cross Domain User Tracking
- Cross Sub Domain Cookie
- Alternative option for cookie
- HTML elements which also sends a cookie for crossDomain request?
- Cross Domain Cookies with jQuery and jQuery Cookie
- Accessing Cookies of Other Domains using JavaScript/Java
- Cross domain cookie with script tag?
- Cross domain cookie reading/setting cross browsers