Raphael Jeger
Raphael Jeger

Reputation: 5232

Cross-domain-cookies - a maybe new idea

My buddy Carsten Lau came along with an interesting idea on how to read cross-domain-cookies.

Situation: You want to read a cookie from domain "A" that was set on domain "B". Idea: From the client on domain "A", you execute a get-request to a dynamic resource on domain "B" – f.e. an image or javascript, which on the server "B" is in fact a programming language capable of reading cookies like PHP, Java etc. With that request, you send an unique identifier like a session id. So the code on the client which looks at a site on domain "A" could look like this:

<img src="www.domainB.com/?getCookie.php?sessionID=1234">

Now comes the funny part, server B reads on server-side the cookie set by domain "B" and writes the result with the provided session-id either in a DB accessible by domain "A" or returns a response which contains the cookie information to the client on domain "A" which then sends it via AJAX to server "A".

I am pretty sure there is a flaw we didn't find yet. I personally believe server "B" will not be able to read cookie informations because the client-browsers URL points to domain "A", but of course the "getCookie"-request explained above points to "B".

Please tell us what you think about it, why it works or why it can't work. A small proof of concept was, to my big surprise, successful.

Upvotes: 22

Views: 32021

Answers (2)

jmealy
jmealy

Reputation: 592

I put together an NPM package to help with cross-domain cookie/localStorage usage. I know this post is a bit old, but I thought I'd share, in case anyone else needs help with this:

By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.

Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.

With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.

The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.

Hope this helps!

Upvotes: 2

Darin Dimitrov
Darin Dimitrov

Reputation: 1039418

This is normal, because you have control of the 2 domains. This is how most websites achieve cross domain single-sign-on by the way. But if you do not have control of the second domain you cannot read cookies from it.

Upvotes: 19

Related Questions