We Keep Coding

PHP Cookies for multiple Domains

I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not designed to be accessible for other domains. For example I have set a cookies variable $user_email from domain www.firstdomain.com and want to access it in other domains like www.seconddomain.com, www.thirddomain.com etc. May be this can be done using PHP or JavaScript. Any idea please.
Thank you!

When searching the cookie list for
valid cookies, a comparison of the
domain attributes of the cookie is
made with the Internet domain name of
the host from which the URL will be
fetched. If there is a tail match,
then the cookie will go through path
matching to see if it should be sent.
"Tail matching" means that domain
attribute is matched against the tail
of the fully qualified domain name of
the host. A domain attribute of
"acme.com" would match host names
"anvil.acme.com" as well as
"shipping.crate.acme.com". Only hosts
within the specified domain can set a
cookie for a domain and domains must
have at least two (2) or three (3)
periods in them to prevent domains of
the form: ".com", ".edu", and "va.us".
Any domain that fails within one of
the seven special top level domains
listed below only require two periods.
Any other domain requires at least
three. The seven special top level
domains are: "COM", "EDU", "NET",
"ORG", "GOV", "MIL", and "INT".
The default value of domain is the
host name of the server which
generated the cookie response.
read up here.
you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).
you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.
This could look like so.
xss.php (located on cookies.example.com):
<?php
$data = array(
'uid' => $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));
for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.
another website embeds xss.php:
<iframe id="cookies" src="http://cookies.example.com/xss.php"></iframe>
you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.
if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
// read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.
}
this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.
a probably better way would be some sort of token exchanging protocol like openid.
amazon uses this too.
you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.

As you have already said, a cookie can only be set for a domain from that domain (including its subdomains). And if your domains do not share a common superdomain, you need set each cookie for each domain separately.
You can do this with a script that on each domain that sets the cookie for you. But make sure to authenticate requests to these scripts so that only you can set the cookies.

I had solved exactly same problem (actually also for 4 domains). The only solution I've came up with was, to include 3 hidden iframes on the 'Successful login page' and those iframes just load www.domain1.com/register_session.php, www.domain2.com/register_session.php, etc....
As a parameter for register_session.php I use 'sid' which contains session ID:
session_id($_GET['sid']);
session_start();
This is actually for keeping session alive on all those domains but the same would be for your case with cookies.

I ve done some scripts to handle multi domain cookie :
https://code.google.com/p/mudoco/

if you want to access cookie within different domains so this can be done with the help of javascript trick. As cookie can be accessed within same domain.
Create cookie on user’s browser using JavaScript on your first domain.
Set the name of the window to whatever value of cookie you want to carry to another domain by using window.name.
Step 2 should be performed on every page of the domain which has created the cookie. It could be easily by calling a JavaScript file on all pages.
When you move to another domain, and want to access the above mentioned cookie value, access it by using window.name as window has not changed.
Create new cookie on this domain and assign this value to it.

PHP session can't be retrieve after redirection using htaccess

I have done a redirection from www.abc.com to www.def.com using .htaccess.
The redirection is successfull but I have a problem whereby the cookies and session can only be accessed when I access the website using def.com.
The session will be missing when it is checked from abc.com.
How to copy or read the session at def.com?
Please Help me.

well you can't do it simply. Maybe see this post ?

Your cookie containing your session id (and therefore, your entire session) is only valid on the domain where it is created. So when you change domains, the cookie is no longer available. To work around this, you could send the session ID to the new domain (which is not very safe, but you might not care), and then creating a new cookie and session for that domain.

This is called "cross site scripting" (XSS) and a lot of people work very hard to make sure that what you want isn't possible. If you do find a way to do it, be sure to let us know, because that would be a MAJOR security breach.

You can only share the same session on both domains when you have access to the session data storage from both servers. Depending on the session data storage type and location, you might need to write your own session storage handler.
Besides that, you also need to make sure that the same session ID is used on both domains. If you want to use cookies for the session ID, you can only do it when your domains share a common super-domain, so they are sub-domains of the a domain like foo.example.com and bar.example.com share the super-domain example.com. In that case you need to adjust the session cookie parameter domain and set it to value .example.com for the super-domain example.com.
Otherwise, like in your example where the domains do only share com as a top level super domain, you can’t use cookies (in the first place). But you can use the URL to transfer the session ID from one domain to the other domain. To do that you need to enable session.use_trans_sid and disable session.use_only_cookies (both at least on the redirection target domain) and append the session ID to every URL pointing from one domain to the other (here you can use the SID constant).

session variables not carrying over from http://www.xxxx.com to http://xxxx.com

I was brought aware of this issue by some users on my website. A user many enter into their browser http://xxxx.com and then login. Then they may click on a link that brings them to http://www.xxxx.com it asks them to login again! Is this a known issue that anyone has encountered before? I tried googling it but im not sure if im using the wrong keywords or what because i cannot find anything related to this.
Thanks,
Ian McCullough

As far as your browser is concerned, www.xxxx.com and xxxx.com are different domains. The same-origin policy prevents accessing cookies across domains.
However, the browser is aware of subdomains, and a subdomain can access the cookies of a parent domain. So, if you want to make your cookie accessible to both xxxx.com and www.xxxx.com, just set your cookie on .xxxx.com and you'll be set.

When you set a cookie, you can optionally specify which domain the cookie is set for. If you don't, the cookie is particular to that hostname only, and thus if the cookie is set on www.example.com, it will only be returned by the browser on that hostname or below.
If, when setting the cookie, you set the domain to "example.com" it should work also on "www.example.com".
The problem is that the more specific cookie will override the less specific one, so if you've previously set a cookie on "www.example.com" it will continue to override the new one set for "example.com", rather than being replaced by it - you would first have to delete the one set for "www.example.com". It gets tricky since when the client returns a cookie to the server it doesn't say which hostname the cookie was set for.

People seem to be assuming you're using a cookie to perform authentication but are skipping what appears to be your root question. Trevor briefly touched on it, but still kept to the cookie concept. As far as http is concerned, www.xxxx.com and xxxx.com are different subdomains on the same top level domain. Hence, while they may be the same ip, same website, same everything, the browser request and the server's response are considered to be 2 separate domains/sites. Sessions are not shared across subdomains unless you have a separated session state (such as a SQL Session store, etc).
However, if you are using cookies for authentication, you can add a check for the cookie and rebuild a fresh session if the data in the cookie is valid (and sufficient to reconstruct session). Otherwise you'll have to separate session state from the process into a data store.

Check the domain of the cookie, when creating a cookie you can specify if it is for all sub domains, the root server, specific sub domain, etc. To handle all, the cookie would be for .example.com

PHP read a cookie that is on another domain

I have two domains. One domain contains the login script. It creates a cookie when logged in. Another domain have a URL shortener.
So, on the 2nd domain that have the URL Shortener script have a file called session.php. Usually I was using $_COOKIE['sessionid'] to get the session id and match it using database.
How can I get the session id now? I have tried few ways but none of them have solve my problem.

For obvious security reasons, you can't read a cookie that belongs to another domain. You can do it across sub-domains though.
Why not append the session id to the forwarded URL?

Have you considered using a SSO implementation?
http://www.jasig.org/cas
http://en.wikipedia.org/wiki/Single_sign-on
We use it at work, it's awesome! It means we don't have to worry about these types of problems.

Cookies are sent by the browser and only to the domain, the cookies were set for.
There is not much (meaning nothing ;) ) you can do.
But if your domains are two different subdomains (e.g. login.yourdomain.com and shortener.yourdomain.com) you just have to set the domain name accordingly to make the cookie valid for all subdomains.
In this case, it would be .yourdomain.com.
You might want to read the documentation of setcookie().
Maybe it is better if you clearly describe what you want to accomplish. Probably there is another solution that does not involve cookies.

Just while setting cookie from the login page
set the cookie to entire domain like this
setcookie("c","value",time()*3600*24,"/");
in this way you can set cookie to your entire domain.

You can't read a cookie from the other domain.
though there are several ways to pass a session id. You can search SO for the cross-domain authorization
The easiest way is to pass a session id via query string

You can't. Cookies are bound to a single domain. You can use cookies across multiple subdomains though.

Sharing $_SESSION variables across subdomains using PHP

I am trying to share the contents of the session variable across two subdomains but for some reason it is not working.
The sessionid is exactly the same on both subdomains but the variables aren't available.
I can achieve this with Cookies and this is working but would rather use the values in the session.
Here is how I'm setting the domain for the session:
Thanks,
Scott
UPDATE
Sorry should have said, I am already using the following:
ini_set('session.cookie_domain', substr($_SERVER['SERVER_NAME'],strpos($_SERVER['SERVER_NAME'],"."),100));
if(session_id ==''){session_start();}

You are looking for this function: session_set_cookie_params().
Say you have two domains:
site1.example.com
site2.example.com
In order to share your session data across both domains, call the following functiontion before session_start():
session_set_cookie_params(0, '/', '.example.com');
(Edit: indeed I forgot a dot in the example code)

The sessionid is exactly the same on
both subdomains (..)
Are you sure that the value (not the name) of sessionid is the same?
I needed similar thing 2 years ago, but I needed it to work on completely different virtual hosts (e.g., example.com and something.else.net), so I wrote a small script that ensures that user gets the same session_id on different virtual hosts. Source code is available at http://www.misc.lv/_downloads_file.php?id=18, but there's small bug on line 58 - arguments of strpos() should be swapped (I'm too lazy to fix it and upload fixed script).
Basic requirements/steps are:
all pages should be on the same server, as they need a common "storage" for session variables;
there must be one "main" host; there's no limit on a number of "additional" hosts;
if currently opened page is on the "main host" (and it is not a request of session_id), nothing "extraordinary" has to be done;
if page is not on the "main host" and there is an active session, nothing "extraordinary" has to be done, as session_id probably has already been shared;
if page is not on the "main host" and there is no active session, request a session_id from the "main host".