Is it Possible to Check Cookie from a Different Domain?

Discussion in 'Programming' started by MindReality, Jul 4, 2013.

0
  1. #1
    Is it Possible to Check Cookie from a Different URL?

    If my browser is on Domain 1, can I run a code that checks for a cookie from Domain 2?

    For example, I would like to check for a cookie with the name "popover" no matter which domain it is cookied from. Can I do that?
     
    Solved! View solution.
    MindReality, Jul 4, 2013 IP
  2. shubhamjain

    shubhamjain Active Member

    Messages:
    215
    Likes Received:
    2
    Best Answers:
    1
    Trophy Points:
    63
    #2
    No you can't because if you could anyone could easily read your paypal cookies and steal all your money. :).
     
    shubhamjain, Jul 5, 2013 IP
    deathshadow likes this.
  3. #3
    That's called session hijacking and sites like Paypal have already passed that stage. Just duplicating a cookie of an existing session should not work with many of the major financial services/companies.

    If you happen to own all the domains, then its a pretty easy thing to do. There are many ways you can share cookies between domains - something similar to what Google would do among it's services (gmail, youtube, etc..) or Microsoft's sites using live login.

    One of the ways you can do it is via an API, where the "master" domain set's the cookies/retrieves it and the "slave" domains request that cookie. This way itself can be done multiple ways, I personally find that using a distributed memory object caching system the fastest (something like Memcached).
     
    ThePHPMaster, Jul 7, 2013 IP
  4. shubhamjain

    shubhamjain Active Member

    Messages:
    215
    Likes Received:
    2
    Best Answers:
    1
    Trophy Points:
    63
    #4
    Hmm... What do they detect? IP change?
     
    shubhamjain, Jul 7, 2013 IP
  5. MindReality

    MindReality Well-Known Member

    Messages:
    202
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    105
    #5
    Hi,

    I own all the domains. Can you show me an example of the code to do what you just said?
     
    MindReality, Jul 7, 2013 IP
  6. shubhamjain

    shubhamjain Active Member

    Messages:
    215
    Likes Received:
    2
    Best Answers:
    1
    Trophy Points:
    63
    #6
    Correct me if wrong but that happens while maintaining a central URL for Auth token and maintaning cookie on services with session IDs which can request that Auth token with the session ID or something like that. I don't think that would be exactly cross domain cookies.
     
    shubhamjain, Jul 8, 2013 IP
  7. archert22

    archert22 Greenhorn

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #7
    From Stackoverflow.
     
    archert22, Jul 9, 2013 IP
  8. ThePHPMaster

    ThePHPMaster Well-Known Member

    Messages:
    737
    Likes Received:
    52
    Best Answers:
    33
    Trophy Points:
    150
    #8
    That is an option. You can also calculate in the browser type, OS system, or even bit count. This is mostly foolproof unless someone has access to the algorithm you are using or is randomly correct and fakes all the info you are using.

    The internet is filled with examples, like this:

    (using redirect, Google style): http://answers.google.com/answers/threadview/id/742376.html

    (using API): http://www.codeguru.com/csharp/csha...php/c19417/Sharing-Cookies-Across-Domains.htm

    There are many ways companies implement this, specially ones that provide more than 1 service with the same login. You are not restricted on those implementation and can definitely work a better one if you have the time (or a more secure one).
     
    ThePHPMaster, Jul 9, 2013 IP