CODEWITHSUNDEEP
javascript.netasp.netcookies
Rico
Rico

Reputation: 1298

Storing a Cookie

Ok Soo I have 3 Sites. All need to store a cookie that each site needs to be able to see. I have a Single ASPX that stores this cookie for all 3 sites.. Basically On each page on the site there is a javascript that calls the ASPX and makes it store the cookie. If the ASPX is on one domain and im loading the aspx as an image, why does each site not write to the same cookie? Basically let me break it down this way.

X.com y.com z.com all exist

y.com/cookiesave.aspx also exists. It writes a coookie called bob and sets it to a Guid if it doesn't exist...

x.com, y.com, and z.com on all pages basically have a javascript that loads an image from y.com/cookiesave.aspx which returns a 1x1 transparent image. Yet it doesn't seem to see these cookies coming from y.com.
It still sees all three sites as saving and loading the cookie seperately. How the heck does it know if the script is on y.com only?

Upvotes: 4

Views: 458

Answers (2)

Martin Algesten
Martin Algesten

Reputation: 13620

Cookies must have the same originating domain. For any cookie there are two key values cookie domain and cookie path. A cookie domain is default set to the domain of the page loaded. For instance www.foo.com. If you want to share a cookie between domains, these domains must be something like:

a.foo.com
b.foo.com
c.foo.com

In which case the cookie domain must be set to foo.com (you can't set com).

The cookie path is the path on the server that the cookie should be returned for. Most often you set this to / which means any path will get the cookie. But you can set it to /something and then any page like /something/here/ will get the cookie.

Edit:

Most browsers block cookies from any 3rd party that are not the page you're visiting.

Cookie blocking

Upvotes: 1

Hogan
Hogan

Reputation: 70513

The protections that stop this are put in place by the browser makers to prevent cross site scripting attacks. If you have a legitimate goal then implement it in this way; use x.my.com, y.my.com and z.my.com and set your cookie(s) for my.com and not for each one.

Also note: The protections against this kind of action are not just stopped by the browser, there are also security gateways, firewalls, etc that look for this behavior because it is assumed to be an attack. Unless you are performing an attack do it the way I suggest. Oh, and don't perform an attack -- if that is what you are thinking of doing.

Upvotes: 3

Related Questions