I have an iframe, says it's hosted at example.com, and I want siteA.com and siteB.com to have the same cookie, I plan to embed iframe (example.com) into siteA and siteB, is that possible? As I know cookie is per domain only.
It depends on if you control siteA and siteB. If you cannot make changes to them, this is not possible.
Otherwise, you can leverage two way iframe communication to send siteA / siteB a message with the cookie value, which you then write.
Related
Is it possible to set cookie in one domain and access the same in another domain?
Actually I need to set a cookie in A.com page when user clicks a button and then user needs to be redirected to B.com. But the cookies are working for the same domain but not for other domain.
Is it possible to set cookie in one domain and access the same in another domain?
No. That would be a security risk.
Cookies were designed for maintaining state, like user preferences. Would you like Joe Random Evil Site to be able to change your preferences for your Online Banking service?
No. You can only set cookies for the domain your script is currently running on.
if you have both A.com and B.com, you can simply make a http (or https whatever) request from A to B and put on it whatever you want to pass to B.com . B.com gets the request, saves it serverside, when user enters the B.com, server sends back the data to user.
I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:
What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.
I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.
Thoughts?
Thanks!
If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.
If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another
You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.
Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.
Within my app (http://www.example.com) I am running an iFrame (https://www.example.com/iframe-application).
The main page (www.example.com) only renders custom data based on cookies set by the iFrame. The iFrame has all the smarts, the Javascript, the secure cookies, etc. The iFrame has NO text, images, etc. only javascript code.
Is there any risk that someone would embed the iFrame in another site and access secure cookies, login tokens, etc?
By default cookies are bound to the domain name, so in normal case that should not possible.
If you got a XSS Vuln. on your site, he could access the cookies, so rather be sure to escape all Inputstrings.
That would be a cross-site scripting attack and most browser will prevent it unless the user has configured them not to.
I'm trying to understand the principle behind the Facebook plugins.
As I understood they set a cookie when you login, and then whenever you visit a website with their plugin installed, they are abel to recognize your userId..
I'm trying to do it on my own on a couple of different domains I have, but I don't know where to start actually...
I set a cookie TEST when I visit site1.com with a random id value
but then when i visit site2.com what should I do? I can I read the previous cookie that contains my id?
When you set a cookie in site1.com, whenever the visitor visits site1.com, the cookie would be sent to this website. There is no involvement of site2.com at all. site.com can not and should not be able to receive the cookie that was set by site1.com.
If you are designing a page such that the user visits site2.com and the web page at site2.com contains an IFRAME that loads site1.com, then the cookie that was set by site1.com earlier would be automatically sent to site1.com when it tries to load it in this IFRAME.
Also, note that these things are usually not done with JavaScript. Some sort of server side scripting such as PHP, ASP.NET, Django, etc. is used to set and read cookies sent by the client. Setting a cookie in the user's browser involves adding a 'Set-Cookie' header to the HTTP response generated by the server-side script. In PHP this can be done using setcookie(). Once the cookie is set in the browser, when the user visits the same website again before the cookie expires, the browser sends the cookie as a 'Cookie' header. The server-side script can now read this cookie. In PHP, the cookies are available in $_COOKIE variable.
I am developing a web app that is served from domain.ext. This web app uses cookie–based sessions and provides users with the ability to host a web pages containing custom JavaScript on a subdomain, ex. sub1.domain.ext, sub2.domain.ext. The subdomains do not use cookie–backed sessions.
Given this setup, is it possible to ensure the following?:
users at sub1.domain.ext cannot read or write a cookie for domain.ext (i.e. domain.ext sessions cannot be stolen or hijacked by JavaScript embedded in a page at sub1.domain.ext).
JavaScript embedded in a page at sub1.domain.ext cannot read or write cookies at sub2.domain.ext, and vice versa.
I’ve tested out a few things, for example it appears to be possible to interact with domain.ext’s cookies from sub1.domain.ext by running document.domain = 'domain.ext' inside the sub1.domain.ext’s window. Is there some way to prevent this, for example by specifying some kind of policy when setting the domain from domain.ext?
You can't specify that a cookie should only be valid for example.com by setting the domain parameter. If you set domain=example.com, it will be valid for *.example.com.
Setting a cookie on example.com without a domain parameter sets a cookie for only example.com in most browsers. But not IE.
So, if you ever want to have subdomains with separate cookie contexts, you should serve your site from www.example.com only. As Gaby said, naturally you can still support access through example.com by giving a 301 redirect to the www version.