I'm trying to maintain a web site spread across two domains with the same host (one is actually in a subfolder of the other):
www.a.com -> /.../public_html/
www.b.com -> /.../public_html/b/
I have one script on a.com, let's call it public_html/readcookiedata.php, which reads in some session variables from a cookie. Another script on b.com, let's say public_html/b/index.php, needs to also read this cookie.
Right now index.php tries to require_once(../readcookiedata.php).
This works great if I visit www.a.com/b/index.php: the cookie is read OK.
However, if I browse to there directly, www.b.com/index.php, the cookie isn't read.
What's the best way to fix this problem? Is there a way for a.com to allow b.com to read its cookies? Or some way to configure the host to treat all requests to b.com as if they were for a.com/b/ instead?
No. Cookie security is built into the web at a browser level; browsers literally won't allow you to read data for cookies from other domains on pages served by a different domain.
Related
Is it possible to setup your two different project on a same domain and same server but different SESSION variables and point to different folders?
One is on maindomain.com (share session variables with subdomains except dashboard.maindomain.com) and one is 'dashboard.maindomain.com'
This implies that session variables must be shared between the primary domain and any subdomain, except dashboard.
Yes, it's possible.
In theory, it should be as easy as just properly configuring different cookie domains, as well as having separate storage (e.g. different file directories, in case you're using file-based sessions).
However, because cookies for example.com would be valid for and sent by clients to all subdomains, make sure to use a different session cookie name for your dashboard. subdomain. That way, it won't attempt to process cookies that weren't intended for it.
In addition, that's a security concern because your dashboard. app will now effectively be able to sniff cookies that are only intended for your main domain and other subdomains.
So, while technically possible, it might not be a good idea to do that.
I have opened an anonymous website say example.com in a browser. Now I am running a PHP script which runs in another domain say test.com which is owned by me in another Tab from the same browser.
How can I get all the cookies which were set in example.com into my test.com PHP script?
The objective is to collect all the same cookies that were set in example.com & process those same cookies in my PHP script.
Any advice would be much appreciated?
You cannot get cookie information from one domain to another. It would be a massive security hole.
If you absolutely need the values, you will need to add a page to domain1 which reads the cookie and redirects to domain2, passing the cookie values as a query string or form parameter.
I run a website which has many different subdomains. We are introducing a new download server which is using a subdomain of the main domain. The way we normally check user information is with cross subdomain cookies etc but I know this wont work because they of the different server and I wondered what would be the best way of checking if the user is logged in etc on the main server.
What I am wanting to do is the following
Sub1.domain.tld = main server
When you want to download a file, it will point you to the appropriate server where the files are stored
Sub2.domain.tld = download server
Is there any way to keep or check if the user was logged in please.
The way we normally do it with cookies accross subdomains is
setcookie('LoginVariable1', $LoginVariable1, $expiretime, '/', '.domain.tld');
setcookie('LoginVariable2', $LoginVariable2, $expiretime, '/', '.domain.tld');
Cross domain cookies will exactly work in your case. The only case they would not work would be if you have "www.somedomain.example" and "download.someotherdomain.example", because you cannot define a cookie to be cross-domain for the top-level domain "example".
So this boils down to have a cookie that tells all servers something like the session id of the user, or an authentication token he got during login, and then all servers must ask some central authentication service whether this session or token is currently logged in.
If the subdomains map to different servers, you have two ways as I see it.
1) You can share the directory that php writes sessions to on server A and point server B there.
2) You can use database sessions and have both servers connect to a single database to verify/retrieve the session.
In both cases, you end up with a single, central place to store sessions.
we are running an online portal which is available via different domains (e.g. example.de, example.at, example.ch) as well as variations of it (e.g. exam-ple.de) and payment for all countries is done via secure.example.com, so it is not possible to access cookies on secure.example.com which were set on example.de.
First question (not directly refering to cookies):
Is it possible to forward a user from exam-ple.de to example.de without loosing the referer information? Maybe with .htaccess?
Second question:
Is it "dirty" to store all cookie names in a configuration file and then pass all cookies via GET everytime the user gets forwarded to another domain name and reset the cookies? I can only think of this one solution to make cookies available on different domains... Or does anyone has a better solution for the problem?
Best regards,
Freddy
To answer your first question, assuming that you are using apache2 as the web server (you told about .htaccess) , I would suggest using mod_rewrite for redirecting the urls to a different domain. When using mod_rewrite you are enabled to set cookies
Also you can create a php script that forwards to your domains and sets the cookies. It might be called like www.yourdomain.com/forward.php?target=at&....
I have a website which creates a cookie and I want to use this cookie in my application on Facebook. is it possible? if not, any idea how to recieve information from my website and pass it to Facebook?
You can't share cookies across domains - just subdomains. That's by design, and important (tm).
Can you have the user log in to your site using Facebook Connect to share a session across the two sites?
Just as Andy said, you can't share cookies across domains and this is an important security feature. Another thing you can't do is make cross-domain AJAX requests.
What's odd about your question is you're asking about a facebook application. Facebook applications are not hosted by facebook, so therefore you are hosting the application yourself. Since you are hosting the application yourself, it is possible you're hosting the application on the same server and even domain. Therefore if that is the case, as long as your facebook application is using an iframe and points to the application hosted on the same domain you can have cookies accessed from both the application and the website. But again, I repeat this is only if your facebook application is using an iframe and pointing to a domain that is the same as your website.
Tip: If your application or website is a subdomain, make sure to put a dot before your cookie to make it accessible on all subdomains. i.e. .domain.com