The company I work for has four domains and I'm trying to set up the cookies, so one cookie can be generated and tracked across all the domains. From reading various posts on here I thought it was possible.
I've set up a sub domain on one site, to serve a cookie and 1*1 pixel image to all four sites.
But I can't get this working on the other sites.
If anyone can clarify that:
Its possible?
If I'm missing something obvious or a link to a good example?
I'm trying to do this server side with PHP.
Thanks
Are you having issues due to Internet Explorer and their Privacy stuff?
Session variables are lost if you use FRAMESET in Internet Explorer 6
Back in my former internet days, when IE6 first came out, we had to implement this because it broke some of our tracking. Its amazing that all you have to do is fake it, and everything works fine.
Your on the right track, we had a domain that hosted the tracking cgi that served the 1x1 transparent pixel and tracked what page a user was visiting. We then had a custom parser that would combine that data with Apache logs and dynamically created a graph of users traffic patterns through our website. This was using dot from the Graphviz package.
This kind of thing is pretty easy if you are just trying to do stats, but if you're actually trying to persist user data across domains you'll have to do something more complicated.
The best way to set a cross-domain cookie is to make sure all your sites are subdomains of one master domain, say initech.com. So one of your site, site1.initech.com, sets the cookie with a domain of ".initech.com" and it works fine.
It could be a problem if your sites are on totally different domains though.
Rather than try to set one cookie that each site can access, what you'll have to do is make sure that each site has its own exact duplicate of the original cookie. So, have your site, site1.com, set the cookie for itself and output three 1x1 gifs, or AJAX calls or whatever, to site2.com, site3.com and site4.com setting the same cookie to the same value.
This will be difficult to do securely and reliably ;)
To make sure somebody can't set arbitrary cookies on your domain, you'll habe to pass through a hash of the cookie value on the image tag. If the cookie to be set is "mycookieval", also pass through md5("mycookieval"."somesecretstring".$_SERVER['REMOTE_ADDR']). This is potentially bad because it might allow an attacker to set the same cookie to the same IP address, or possibly to brute-force the hash generation.
You could compensate for this by inserting a record into a backend database whenever you set the cookie, and having the other three sites check against it for validity.
This question's pretty cold, but in case anyone else stumbling on it, or the OP still has need, I've created an NPM module, which allows you to share locally-stored data across domains. It looks like this would exactly address the OP's need here, and it doesn't require all sites share a base domain.
https://www.npmjs.com/package/cookie-toss
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
Hope this helps!
Related
Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!
I have an ecommerce system and a blog both working independently on two servers. The ecommerce server reverse proxies the blog
/blog
This is all working fine, however my question is what is the best way to attain the header webpage element from one server to the other, taking into consideration there are dynamic elements within the header, basket count and user name if logged in.
The only solution I came up with is to grab the header via curl or the likes and cache periodically. Then enhance it with session data which is shared across the servers, i.e. the basket count, username.
Thanks in advance, hope this makes sense
Andrew
Since you're using a single server to reverse proxy, you can perform ajax requests to this single site without worrying about any of the cross-site policy shenanigans.
Lets say you have the following
/blog -> Your blog server
/notblog -> Your EC server.
From a page served from under /blog you can fetch a url like /notblog/basket.php with an ajax request, and update various parts of your header with the relevant information.
Alternatively (a far more crude solution) would be to include /notblog/basket.php as a script file, and dynamically generate javascript that simply prints your header contents. (remember to add headers to prevent it from caching!)
Both of these require an extra request to your site, but so would your proposed solution of using cURL.
We got pitched this idea yesterday. A user visits our site and are marked. Then when they visit other sites like CNN they are targeted with adds for our site. So once they are exposed to us, they start to see us everywhere, creating the illusion we are bigger than we are.
The person pitching it said it was done by cookies. I was very skeptical since I don't believe there to be anyway to see what cookies a different domain has set. So I wanted to try an figure out how it was accomplished. The salesman called this technology pixel tracking.
I have never heard of pixel tracking but from my research I have found that it is placing a 1 pixel image that references a script on another domain with parameters to be executed. My first thought was, OK maybe its possible this way.. But I still don't know how?
Can anyone explain how they are able to mark you as visited our site, and then see this mark on another site? Is it from your IP?
Included at the bottom of the (CNN) website in this case is an img tag like:
<img src="http://www.webmarketingCompany.com/pixel.php?ID=623489593479">
When a user visits the (CNN) website, and the browser renders the page, it sends http requests for all the images as well, including a request to http://www.webmarketingCompany.com for the image pixel.php which includes the ID as a get parameter. pixel.php not only returns an image, typically a 1x1 transparent gif (so it isn't visible in the rendered page), but can do a whole host of additional processing using the ID value; and it also has access to any webmarketingCompany.com cookies, which are also sent with the http request.
Of course, CNN have to agree to include the img tag in their html. Typically it's used as a tracker by third party marketing companies working on behalf of CNN to identify who is visiting their site, what pages they're viewing, etc.
But because it's a PHP script, it can do a whole host of extras, such as setting further cookies. If webmarketingCompany.com also handle ad-serving on behalf of CNN, they can do some creative selection of the ads that they choose to serve.
Such cross-client "pollination" is frowned upon, certainly here in the UK.
What you are describing is pretty standard for all advertisement networks. The only difference here is that they will place that cookie on your site as well.
As long as the browser has "accept third party cookies" set to true, this will work as the salesman said. Most browsers has the setting set to true by default, the only exception I can think of is Safari.
two years ago I had to design a system to share authentication data across multiple domains, all of them shared the same server/db. I was able to pull this off with a complex system of cookie sharing which, to date still works.
I'm now in the process of redesigning the system and I was wondering if there are better ways to achieve this without having to write cross domain cookies.
Basically the system MUST do this.
Once logged in one site the user must be logged in all of the other site seamlessly, not only following a link, but even by directly writing the domain name on the address bar.
To my knowledge the only way to achieve this are cross-domain cookies, if there are alternatives please tell me.
Thank you very much
My Idea would be to include a login-Javascript from a third domain which gets includet in all sites. This javascript sets and reads the session-cookie and calls the current domains server via ajax with the result. (No validation should be done in the JS - this simply sets and reads the cookie)
If cross domain AJAX does not work, you can still call the thirds domain server which acts like a proxy and calls the current domains server.
The StackOverflow sites have implemented something similar to this. Check out the details at the following links.
Here is a post giving an outline of how they did it.
And here is even more detail.
For this you do have to use cookies, but you can vary what you store in the cookie. The cookie doesn't have to contain user credentials but can instead contain something more like a token that you use to "centralize" your sessions.
Easies way would be to let all hosts share a single memcached server and use the content of the users cookie as your key.
I am currently working on a project that spans accross multiple domains. What I want is for the user to be able to login on one site and be logged in on all the others at the same time.
The users session is stored in the database, the cookies that I set on each domain contain the session id.
So basically when a user logs in to example.com a cookie is created with their session id, the session data is stored in the database. Once this is done a cookie needs to be created on all the other domains with this unique session id so that as the user travels from site to site they will automatically be logged in.
Now I have found a way to do this in Firefox (using image tags that executes PHP scripts on the other domains, essentially creating the different cookies on the different domains) but this method doesn't work in IE (havn't tested Opera or Safari etc. yet).
Does anyone have any ideas about how I can get this to work in IE?
Have a look at my question Cross Domain User Tracking.
What you need to do is to add another HTTP header to the "image".
Quote from Session variables are lost if you use FRAMESET in Internet Explorer 6:
You can add a P3P compact policy
header to your child content, and you
can declare that no malicious actions
are performed with the data of the
user. If Internet Explorer detects a
satisfactory policy, then Internet
Explorer permits the cookie to be set.
A simple compact policy that fulfills
this criteria follows:
P3P: CP="CAO PSA OUR"
This code sample shows that your site
provides you access to your own
contact information (CAO), that any
analyzed data is only
"pseudo-analyzed", which means that
the data is connected to your online
persona and not to your physical
identity (PSA), and that your data is
not supplied to any outside agencies
for those agencies to use (OUR).
You can set this header if you use the
Response.AddHeader method in an ASP
page. In ASP.NET, you can use the
Response.AppendHeader method. You can
use the IIS Management Snap-In
(inetmgr) to add to a static file.
Follow these steps to add this header
to a static file:
Click Start, click Run, and then type inetmgr.
In the left navigation page, click the appropriate file or
directory in your Web site to which
you want to add the header,
right-click the file, and then click
Properties.
Click the HTTP Headers tab.
In the Custom HTTP Headers group box, click Add.
Type P3P for the header name, and then for the compact policy
string, type CP=..., where "..." is
the appropriate code for your compact
policy.
Not sure if it a good suggestion at this point in your development, but you should definitely look at Single Sign-on if you want to do it the "right" way.
Is it just me, or does it sound like your CSRFing yourself with your technique using images that works in Firefox?
Interesting approach, although I hope you're not opening yourself up to a security threat there.
I haven't done this myself, but I think you're going the right way. I would probably do the same, except instead of an image I would use a Javascript file. It would be generated on the serverer side and would update the cookies on the client side.
Possibly me being a bit silly, but could you not set the cookies for each domain name on login? So rather than them having one cookie when they login to Site A, they have five, or however many sites you have?
setcookie(A, $sessid, expire, path, domainA.com);
setcookie(B, $sessid, expire, path, domainB.com);
setcookie(C, $sessid, expire, path, domainC.com);
setcookie(D, $sessid, expire, path, domainD.com);