Cross-Domain Cookies

Question

I have two webapps WebApp1 and WebApp2 in two different domains    I am setting a cookie in WebApp1 in the HttpResponse  How to read the same cookie from HttpRequest in WebApp2    I know it sounds weird because cookies are specific to a given domain  and we can t access them from different domains  I ve however heard of CROSS-DOMAIN cookies which can be shared across multiple  webapps  How to implement this requirement using CROSS-DOMAIN cookies   Note  I am trying this with J2EE webapps

User · Answer

I ve created an NPM module  which allows you to share locally-stored data across domains   https   www npmjs com package cookie-toss  By using an iframe hosted on Domain A  you can store all of your user data on Domain A  and reference that data by posting requests to the Domain A iframe     Thus  Domains B  C  etc  can inject the iframe and post requests to it to store and access the desired data   Domain A becomes the hub for all shared data     With a domain whitelist inside of Domain A  you can ensure only your dependent sites can access the data on Domain A   The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested   The README in the above NPM module goes more in depth into the procedure   Hope this helps

User · Answer

Do what Google is doing  Create a PHP file that sets the cookie on all 3 domains  Then on the domain where the theme is going to set  create a HTML file that would load the PHP file that sets cookie on the other 2 domains  Example    lt html gt      lt head gt  lt  head gt      lt body gt         lt p gt Please wait      lt  p gt         lt img src  http   domain2 com setcookie php theme whateveryourthemehere    gt         lt img src  http   domain3 com setcookie php theme whateveryourthemehere    gt      lt  body gt   lt  html gt    Then add an onload callback on body tag  The document will only load when the images completely load that is when cookies are set on the other 2 domains  Onload Callback     lt head gt      lt script gt     function loadComplete          window location  http   domain1 com    URL of domain1          lt  script gt   lt  head gt   lt body onload  loadComplete    gt   setcookie php   We set the cookies on the other domains using a PHP file like this     lt  php if isset   GET  theme         setcookie  theme     GET  theme    time   3600       gt    Now cookies are set on the three domains

User · Answer

As far as I know  cookies are limited by the  same origin  policy  However  with CORS you can receive and use the  Server B  cookies to establish a persistent session from  Server A  on  Server B    Although  this requires some headers on  Server B    Access-Control-Allow-Origin  http   server-a domain com Access-Control-Allow-Credentials  true   And you will need to send the flag  withCredentials  on all the  Server A  requests  ex  xhr withCredentials   true    You can read about it here   http   www html5rocks com en tutorials cors   https   developer mozilla org en-US docs HTTP Access control CORS

User · Answer

Since it is difficult to do 3rd party cookies and also some browsers won t allow that  You can try storing them in HTML5 local storage and then sending them with every request from your front end app

User · Answer

function GetOrder status  filter        var isValid   true    isValidGuid customerId       if  isValid            var refundhtmlstr                 varsURL   ApiPath     api Orders Customer     customerId     status     status     amp filter     filter          varsURL   ApiPath     api Orders Customer status     status     amp filter     filter            ajax               type   GET                 url  ApiPath     api Orders Customer     customerId     status     status     amp filter     filter              url  ApiPath     api Orders Customer status     status     amp filter     filter              dataType   json               crossDomain  true              xhrFields                    withCredentials  true                            success  function  data                    var htmlStr                       if  data    null    data Count     0                        htmlStr     lt div class  card  gt  lt div class  card-header  gt Bu kriterlere uygun siparis bulunamadi  lt  div gt  lt  div gt                                      else                           ReturnPolicyBtnUrl   attr  href   data ReturnPolicyBtnUrl                       var groupedData   data OrderDto sort function  x  y                            return new Date y OrderDate  - new Date x OrderDate                                               groupedData     groupBy data OrderDto  function  d    return toMonthStr d OrderDate                          localStorage  orderData     JSON stringify data OrderDto                          each groupedData  function  key  val                             var sortedData   groupedData key  sort function  x  y                                return new Date y OrderDate  - new Date x OrderDate                                                       htmlStr      lt div class  card-header  gt     key     lt  div gt                              each sortedData  function  keyitem  valitem                                  Date Convertions                             if  valitem StatusDesc    null                                    valitem StatusDesc   valitem StatusDesc                                                             var date   valitem OrderDate                              date   date substring 0  10  split  -                                date   date 2          date 1          date 0                               htmlStr      lt div class  col-lg-12 col-md-12 col-xs-12 col-sm-12 card-item clearfix   gt                                 lt div class  card-item-head  gt  lt span class  order-head  gt Siparis No   lt a href  ViewOrderDetails html CustomerId     customerId     amp OrderNo     valitem OrderNumber       gt     valitem OrderNumber     lt  a gt  lt  span gt  lt span class  order-date  gt     date     lt  span gt  lt  div gt                               lt div class  card-item-head  gt  lt span class  order-head  gt Siparis No   lt a href  ViewOrderDetails html OrderNo     valitem OrderNumber       gt     valitem OrderNumber     lt  a gt  lt  span gt  lt span class  order-date  gt     date     lt  span gt  lt  div gt                               lt div class  card-item-head-desc  gt     valitem StatusDesc     lt  div gt                               lt div class  card-item-body  gt                                   lt div class  slider responsive  gt                                var i   0                                each valitem ItemList  function  keylineitem  vallineitem                                    var imageUrl   vallineitem ProductImageUrl replace   size    200                                   htmlStr      lt div gt  lt img src      imageUrl      alt      vallineitem ProductName      gt  lt span class  img-desc  gt     ProductNameStr vallineitem ProductName      lt  span gt  lt  div gt                                    i                                                                htmlStr      lt  div gt                               lt  div gt                           lt  div gt                                                                               each data OrderDto  function  key  value                            if  value IsSAPMigrationflag     true                                refundhtmlstr     lt div class  notify-reason  gt  lt span class  note  gt  lt B gt Notification    lt  B gt  Ge  mis siparisleriniz y  kleniyor   L  tfen kisa bir s  re sonra tekrar kontrol ediniz  Tesekk  rler   lt  span gt  lt  div gt                                                                                            orders   html htmlStr                       notification   html refundhtmlstr                   ApplySlide                               error  function                      console log  System Failure                                        Web config  Include UI origin and set Allow Crentials to true   lt httpProtocol gt         lt customHeaders gt           lt add name  Access-Control-Allow-Origin  value  http   burada com    gt           lt add name  Access-Control-Allow-Headers  value  Content-Type    gt           lt add name  Access-Control-Allow-Methods  value  GET  POST  PUT  DELETE  OPTIONS    gt           lt add name  Access-Control-Allow-Credentials  value  true    gt         lt  customHeaders gt       lt  httpProtocol gt

User · Answer

Cross-site cookies are allowed if   the Set-Cookie response header includes SameSite None  Secure as seen here and here and your browser hasn t disabled 3rd-party cookies    Let s clarify a  quot domain quot  vs a  quot site quot   I always find a quick reminder of  quot anatomy of a URL quot  helps me  In this URL https   example com 8888 examples index html  remember these main parts  got from this paper    the  quot protocol quot   https    the  quot hostname host quot   example com the  quot port quot   8888 the  quot path quot   examples index html   Notice the difference between  quot path quot  and  quot site quot  for Cookie purposes   quot path quot  is not security-related   quot site quot  is security-related  path Servers can set a Path attribute in the Set-Cookie  but it doesn t seem security related   Note that path was intended for performance  not security  Web pages having the same origin still can access cookie via document cookie even though the paths are mismatched   site The SameSite attribute  according to web dev article  can restrict or allow cross-site cookies  but what is a  quot site quot    It s helpful to understand exactly what  site  means here  The site is the combination of the domain suffix and the part of the domain just before it  For example  the www web dev domain is part of the web dev site   This means what s to the left of web dev is a subdomain  yep  www is the subdomain  but the subdomain is a part of the host  see the BONUS reply in this answer  In this URL https   www example com 8888 examples index html  remember these parts   the  quot protocol quot   https    the  quot hostname quot  aka  quot host quot   example com  in cases like  quot en wikipedia org quot   the entire  quot en example com quot  is also a hostname  the  quot port quot   8888 the  quot site quot   www example com the  quot domain quot   example com the  quot subdomain quot   www the  quot path quot    examples index html  Useful links   https   web dev samesite-cookies-explained  https   jisajournal springeropen com articles 10 1186 1869-0238-4-13 https   tools ietf org html draft-ietf-httpbis-rfc6265bis-03 https   inst eecs berkeley edu  cs261 fa17 scribe web-security-1 pdf https   developer mozilla org en-US docs Web HTTP Headers Set-Cookie   Be careful  I was testing my feature in  Chrome Incognito tab  according to my chrome   settings cookies  my settings were  quot Block third party cookies in Incognito quot   so I can t test Cross-site cookies in Incognito

User · Answer

The smartest solution is to follow facebook s path on this  How does facebook know who you are when you visit any domain  It s actually very simple   The Like button actually allows Facebook to track all visitors of the external site  no matter if they click it or not  Facebook can do that because they use an iframe to display the button  An iframe is something like an embedded browser window within a page  The difference between using an iframe and a simple image for the button is that the iframe contains a complete web page     from Facebook  There is not much going on on this page  except for the button and the information about how many people have liked the current page   So when you see a like button on cnn com  you are actually visiting a Facebook page at the same time  That allows Facebook to read a cookie on your computer  which it has created the last time you   ve logged in to Facebook   A fundamental security rule in every browser is that only the website that has created a cookie can read it later on  And that is the advantage of the iframe  it allows Facebook to read your Facebook-cookie even when you are visiting a different website  That   s how they recognize you on cnn com and display your friends there   Source     http   dorianroy com blog 2010 04 how-facebooks-like-button-works  https   stackoverflow com a 8256920 715483

User · Answer

There s a decent overview of how Facebook does it here on nfriedly com  There s also Browser Fingerprinting  which is not the same as a cookie  but serves a like purpose in that it helps you identify a user with a fair degree of certainty  There s a post here on Stack Overflow that references upon one method of fingerprinting

User · Answer

As other people say  you cannot share cookies  but you could do something like this    centralize all cookies in a single domain  let s say cookiemaker com when the user makes a request to example com you redirect him to cookiemaker com cookiemaker com redirects him back to example com with the information you need   Of course  it s not completely secure  and you have to create some kind of internal protocol between your apps to do that   Lastly  it would be very annoying for the user if you do something like that in every request  but not if it s just the first   But I think there is no other way

User · Answer

You cannot share cookies across domains  You can however allow all subdomains to have access  To allow all subdomains of example com to have access  set the domain to  example com   It s not possible giving otherexample com access to example com s cookies though

User · Answer

Yes  it is absolutely possible to get the cookie from domain1 com by domain2 com  I had the same problem for a social plugin of my social network  and after a day of research I found the solution   First  on the server side you need to have the following headers   header  Access-Control-Allow-Origin  http   origin domain port    header  Access-Control-Allow-Credentials  true    header  Access-Control-Allow-Methods  GET  POST    header  Access-Control-Allow-Headers  Content-Type         Within the PHP-file you can use   COOKIE name   Second  on the client side   Within your ajax request you need to include 2 parameters   crossDomain  true xhrFields    withCredentials  true     Example   type   get   url  link  crossDomain  true  dataType   json   xhrFields      withCredentials  true

User · Answer

Read Cookie  in Web Api  var cookie   actionContext Request Headers GetCookies  newhbsslv1                          Logger Log  Cookie      cookie  LoggerLevel Info                       Logger Log  Cookie count      cookie Count  LoggerLevel Info                        if  cookie    null  amp  amp  cookie Count  gt  0                                                Logger Log  Befor For      LoggerLevel Info                           foreach  var perCookie in cookie 0  Cookies                                                        Logger Log  perCookie      perCookie  LoggerLevel Info                                if  perCookie Name     newhbsslv1                                                                 strToken   perCookie Value

User · Answer

You can attempt to push the cookie val to another domain using an image tag       Your mileage may vary when trying to do this because some browsers require you to have a proper P3P Policy on the WebApp2 domain or the browser will reject the cookie   If you look at plus google com p3p policy you will see that their policy is    CP  This is not a P3P policy  See http   www google com support accounts bin answer py hl en amp answer 151657 for more info    that is the policy they use for their  1 buttons to these cross domain requests   Another warning is that if you are on https make sure that the image tag is pointing to an https address also otherwise the cookies will not set

User · Answer

There s no such thing as cross domain cookies  You could share a cookie between foo example com and bar example com but never between example com and example2 com and that s for security reasons

User · Answer

One can use invisible iframes to get the cookies  Let s say there are two domains  a com and b com  For the index html of domain a com one can add   notice height 0 width 0     lt iframe height  0  id  iframe  src  http   b com  width  0  gt  lt  iframe gt    That way your website will get b com cookies assuming that http   b com sets the cookies   The next thing would be manipulating the site inside the iframe through JavaScript  The operations inside iframe may become a challenge if one doesn t own the second domain  But in case of having access to both domains referring the right web page at the src of iframe should give the cookies one would like to get

[cookies] Cross-Domain Cookies

Examples related to cookies

Examples related to web-applications

Examples related to cross-domain