How to migrate cookie domain and retain the value - javascript

Is it somehow possible to migrate domains from a cookie?
I have a trackingscript witch sets a cookie on the domain of the tracking script(server side, RoR backend) lets say mytracking.com.
The tracking script itself is integrated as javascript on the domain mycustomer.com.
Status quo is, every guest on the website mycustomer.com has now a cookie for the domain mytracking.com.
Can I somehow migrate the cookie domain from mytracking.com to mycustomer.com?

In your client side JavaScript, generate a unique ID. Then create an iframe with a source pointing to a script on mytracking.com and the unique ID as a parameter.
var ifrm = document.createElement('iframe');
ifrm.setAttribute('src', 'mytracking.com/storecookie.rb?uuid=<UUID>');
document.body.appendChild(ifrm);
Now the storecookie.rb script can access the cookie value on the mytracking.com domain and writes it to a database along with the UUID that you generated.
Now, in your client side JavaScript, you fetch() another script, for example mytracking.com/readcookie.rb?uuid=<UUID> that retrieves the matching cookie value from the database. With the value in your client side JS, you can simply create a new cookie with the correct domain.
Unfortunately that process is a bit convoluted, but cross-domain security prevents setting a cookie for another domain.

Related

Access the PHP session name in Javascript

I'm currently using this to check if a cookie name exist in the browser:
document.cookie.indexOf('myCookie=')
This works if the cookie was set via PHP's setcookie() but this doesn't appear to work on PHP sessions.
E.g. if the "cookie" was set through session_start();, you can see in the browser inspector the cookie name with an expiration of "Session". I can't seem to access that session cookie name via JS. Any ideas?
To be clear: I need to check if the PHP session cookie name is present in the browser, not the session data.
It is possible to set the PHP session cookie to be available only via HTTP (i.e. not in JS) if your session.cookie_httponly PHP configuration setting is enabled. In other words, you need to disable it / set it to false for your session cookie to be accessible in JS.
You can check its value like so:
<?php
var_dump(ini_get('session.cookie_httponly'));
Generally, this setting is enabled for security reasons, so I would highly suggest questioning the necessity of doing this.

How to get the client id while sending data to GA using Measurement protocol?

I have tried using analytics.js (Universal Analytics) through both frontend (js) and backend(Measurement protocol).
When using through frontend (js way):
I check that there is a cookie named _ga whose value is GA1.2.1360127879.1438853622 . And it is sending data to GA with cid=1360127879.1438853622 through request 'http://www.google-analytics.com/collect?...' . I know that 1360127879 is the unique id and 1438853622 is the timestamp.
When using through backend (Measurement Protocol):
I have few questions here:
1. How can i get the client id from browser?
One way is to read the _ga cookie from backend and parse the client id from it.But i read that it is not recommended.Because google can change the format anytime.Somewhere i read that use:
ga(function(tracker) {
var clientId = tracker.get('clientId');
});
But i am not getting how to get the client id in backend using this? I want to use the same client id which frontend is using.
2. What is actually the client id? Is it the unique id alone or the combination of unique_id.timestamp. What should i send to GA from backend?
If you look at a website that's using the recommend Google Analytics JavaScript Snippet, you'll see that the client ID it's sending looks something like this:
324729700.1423421585
And the value being stored in the _ga cookie looks something like this:
GA1.3.324729700.1423421585
Notice how the last two parts are the same, and just the GA1.3 part is different.
The only part you need to care about is the client ID that's sent to the Measurement Protocol, so if you have access to the _ga cookie from the server, you should strip the GAX.X. prefix and just send the rest.
But i read that it is not recommended. Because google can change the format anytime.
This isn't true. These cookies have a two-year expiration time, so they're probably not going to be changed. And think about it, if Google did change them, data for millions of websites would suddenly be wrong, so there's no good reason for them to do that.
FWIW, the best way to track users server-side is to use the User ID feature, but if your users aren't authenticated, then using the existing client ID is perfectly fine.
Update:
To answer your second question, the timestamp is part of the client ID, do not strip it. The timestamp is used to help make the ID "more unique".

Given a cookie from a subdomain, can you write a javascript function that returns the hostname of the proxy server?

Hello stackoverflowers,
I'm trying to make a variable that holds the value of the hostname of the proxy server, so I can dynamically construct a cookie name (which contains the hostname of the proxy as part of the string). Do you know how I would do this? I would imagine the hostname (and other info) of the proxy server is stored or is accessible somehow through the subdomain server. Do you know of a javascript function that can do this?
Thank you!
A number of possibilities spring to mind.
If it is dynamically generated content, just write the proxy name into an element in the web page and retrieve it from there. On the server side, you can look up the client IP address - which will be the address of the proxy - in a list you maintain, to find out the proxy name.
If it is static content, use an AJAX method from the browser to query the server for the proxy name, which the server can provide in the same way as method 1.
Just give the proxies the same name so the cookie can have the same name every time.

Cookies - set across multiple domains

My company has a setup as follows:
subdomain1.domain1.com
subdomain2.domain1.com
subdomain3.domain1.com
subdomain4.domain1.com
subdomain5.domain1.com
subdomain6.domain1.com
subdomain1.domain2.com
subdomain2.domain2.com
subdomain3.domain2.com
subdomain4.domain2.com
subdomain5.domain2.com
subdomain6.domain2.com
On each site, bearing in mind there can be a hundred sites per subdomain, users can log in. We, as developers, have to test frontends across several browsers, but some work may only be required on a section once logged in.
I have written a userscript which enables us to save a username and password (and other details which I cannot mention because of confidentiality). The script checks to see if the user account exists by filling in the login form and clicking the submit button. If not, it registers for us - thus automating the registration process.
Sharing cookies between subdomains on the same domain is easy. If I am on subdomain1.domain1.com I can save a cookie which can be retrieved by subdomain2.domain1.com. However, I would also like to save these for domain2. I do not appear to be able to get this to work.
I can see two solutions from here - either:
1) attach an iFrame using the userscript, which loads a site on domain2. This then uses the querystring to decide what to set to what, or;
2) use a form with method="POST", and simply post to a file on each domain.
Either way will be resource intensive, particularly if the cookies are updated each time a cookie changes. We also have URL masking in place. So we'd also have to take into account sites like abc.clientdomain1.com, abc.clientdomain2.com etc.
Does anyone know of an easier way to do achieve this?
This answer is a slightly different version of my answer on the question "Set cookie on multiple domains with PHP or JavaScript".
Do what Google is doing. Create a PHP (or any other server language file) file that sets the cookie on all 3 domains. Then on the domain where the login is going to be set, create a HTML file that would load the PHP file that sets cookie on the other 2 domains. Example:
<html>
<head></head>
<body>
Please wait..........
<img src="http://domain2.com/setcookie.php?user=encryptedusername"/>
<img src="http://domain3.com/setcookie.php?user=encryptedusername"/>
</body>
</html>
Then add an onload callback on body tag. The document will only load when the images completely load that is when cookies are set on the other 2 domains. Onload Callback :
<head>
<script>
function loadComplete(){
window.location="http://domain1.com";//URL of domain1
}
</script>
</head>
<body onload="loadComplete()">
Now cookies are set on the three domains.
Source
Create a common domain specifically for your cookies and use it as a getter/setter API.
http://cookie.domain.com/set/domain1
http://cookie.domain.com/get/domain1
http://cookie.domain.com/set/domain2
http://cookie.domain.com/get/domain2
and so on.
Include a script tag from domain2 that sets the cookie using a username and hashed password:
<script type="text/javascript" src="http://domain2.com/cookie_login_page.php?username=johnsmith&hash=1614aasdfgh213g"></script>
You can then check to ensure that the hashed passwords match (one way).
Key points:
Make the hashes in the URL time sensitive by appending a timestamp that will be agreed upon by the server (for example, 16:00, 16:10, etc) before hashing the string. If you're using HTTPS this is less of an issue.
If your passwords are already hashed, it wont hurt to double-hash the passwords assuming the salts are the same on both servers.
Sample PHP code:
src:
<script type="text/javascript" src="/cookie_login_page.php?username=<?php echo $username; ?>&hash=<?php echo md5($password . date('H')); ?>"></script>
dest:
<?php
$password = get_password($_GET['username']);
if($_GET['hash'] == md5($password . date('H')) {
// set the cookie
}
For security reasons, sites cannot set or retrieve cookies on other domains. Scripting the form submit via javascript is likely the easiest to do, and will still store the cooikes you need in the browser cache.
As stated by others, you can't access cookies across domains. However, if you have control of the server code, you can return information in the body, and allow your client to read and store that information per server.
In my case, I'm connecting a single client to multiple servers, maintaining an authenticated connection to each one. I need to know when the session for each one is going to expire, so the authentication service returns the cookie, plus it modifies the body of the response to send the relevant data back, so that I can read that data and set my own cookies.
By doing this, I can manually track what I need. Won't work in every scenario, but might for some like me.

Retrieving cookies

I was wondering how I could retrieve a cookie that has a path specified - something like path=/foo/bar... If I use document.cookie that only retrieves me JSessionId cookie.. which I guess is the only one with path=/.
Are you trying to retrieve the cookie based on the path and not the name? It's possible to have many cookies that match a specified path. Also have a look at jQuery and the Cookie plugin. Setting and retrieving cookies is as easy as:
// get cookie
$.cookie(COOKIE_NAME)
// set cookie
$.cookie(COOKIE_NAME, 'test', { path: '/your/path', expires: 7});
http://plugins.jquery.com/project/cookie
I have figured out how to solve the problem... Just to let anyone reading this, the idea was to test one of the applications for cross site scripting attack (xss), and the cookie contained valuable information that i wanted to retrieve. The problem was that the cookie was on the other path than the web app itself. I had to access the app using /somedomain/project and the cookie had the /somedomain/project/project path set. SO I somehow had to open /somedomain/project/project url to be able to retrieve the cookie I needed. To get to that cookie I have injected an iframe element. inside that iframe element i made an ajax call. it was a dummy call to /somedomain/project/project/ just to get some information in the iframe ant to make sure iframe's document objects get created. that iframe's document object contained the cookie that i needed. After that I have made an XmlHTTPRequest call to a remote service and sent the cookie as a parameter to the remote server.

Categories

Resources