Is it possible to set cookie in one domain and access the same in another domain?
Actually I need to set a cookie in A.com page when user clicks a button and then user needs to be redirected to B.com. But the cookies are working for the same domain but not for other domain.
Is it possible to set cookie in one domain and access the same in another domain?
No. That would be a security risk.
Cookies were designed for maintaining state, like user preferences. Would you like Joe Random Evil Site to be able to change your preferences for your Online Banking service?
No. You can only set cookies for the domain your script is currently running on.
if you have both A.com and B.com, you can simply make a http (or https whatever) request from A to B and put on it whatever you want to pass to B.com . B.com gets the request, saves it serverside, when user enters the B.com, server sends back the data to user.
Related
Need recommendation on my solution
I am having a multi-tenant product in the SaaS architecture means the same API is common for all the clients. so we hosted in the common domain (xyz.com).
but we having N number of frontend client ( ex: abc.com, fb.com, test.com).
we need to store a user's logged info in the token via a cookie. what is the best way to achieve this?
Problem is:
Getting invalid domain attribute with regards to the current host URL while setting cookies in the browser. chrome's F12 window network response screenshot
my website is running in abc.com now and API is hosted at xyz.com.
Trying to set a cookie with the domain as abc.com in Ajax call from abc.com to xyz.com, but getting above warring in the browser and cookie is not set.
But if I set the cookie domain as xyz.com, then the cookie is setting in abc.com.
My Conclusion:
Brower will accept the cookie only from the API's domain( UI - there is a way to skip - samesite). So I can make my cookie as an HTTP only and secure cookie.
xsrf-token -> will be in http only secure cookie
x-xsrf-token -> will be in local storage
so that it will be safe from XSS and CSRF(Edited)
I am learning the basic knowledge of Same-Origin-Policy and cross-site-request.
The question is can I get cookies for current domain and send them to another domain by jsonp ?
For example, there are two websites. www.A.com and www.B.com.
If user login to A, there are some cookies in user's browser for A. We know that we cannot send XHR to B with cookies because of the restriction of Same-Origin-Policy. But can we get the cookies using js and send them as parameters using jsonp.
such as:
<script>http://www.B.com/xxx?cookies=REALCOOKIES ?
If I am reading this right, this is essentially how Google Analytics cross-domain tracking works. When a user clicks on a link to another domain, the cookie values are appended onto the querystring for the link which are then picked up on the other end and then turned back into a cookie (or whatever it is you want to do with it).
If you are talking about reading cookies from one domain to the other, you can do this server-side IF you have some sort of asset request that is available to both domains e.g. an image. This is (in essence) how affiliate, media banner, facebook tracking works, i.e. the concept of ads "following" you around while you are surfing (do people still surf?) the internet.
If you are the developer for both domains you could also write an api (server-side) that makes a request to domain www.A.com and retrieves the required cookies.
I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:
What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.
I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.
Thoughts?
Thanks!
If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.
If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another
You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.
Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.
If I have a SITEA writing a cookie to my browser, can SITEB write code to access the cookie or are cookies hidden from websites that didn't create them ?
My answer to that was that YES, SITEB can read the document.cookie and if he knows what's the cookie name, it can access it. Was I right ?
Regarding the second questions, I don't think there are Server Side cookies other than SESSIONS. Am I right?
Cookies are usable by both the server and the client. Cookies can only be read by the website the domain that creates them; you can use sub-domains domains, url paths. Cookies are generally considered insecure if used from the client side, and should not be used to hold sensitive data if accessed from the client side. The server can encrypt information and store it in the cookie as long as the encryption is done on safe manner on the server. Using cookies are a good way of avoiding the use of a session server, and if you do not save sensitive data they are a good way to store state in a web application. Although they can be more challenging than other session mechanisms, the do work on both the client and the server.
Advertising products like double click use cookies to track a monitor user activity, which is how ads follow you from site to site.
Third-party and first-party cookies
Cookies are categorized as third-party or first-party depending on whether they are associated with the domain of the site a user visits. Note that this doesn’t change the name or content of the actual cookie. The difference between a third-party cookie and a first-party cookie is only a matter of which domain a browser is pointed toward. The exact same kind of cookie might be sent in either scenario.
https://support.google.com/adsense/answer/2839090
Cookies are accessible on the basis of domain. This is the basic inherent feature of any browser otherwise it would have been very easy for companies to snoop on each other's users.
If Site A has domain .xyz.com then any website having the same domain can access the cookies. But if any site has domain xyz.com (dot missing) it cant access any other domain's cookies.
Also the http request send to server will contain cookies of the domain from which it is sent.
I'm trying to understand the principle behind the Facebook plugins.
As I understood they set a cookie when you login, and then whenever you visit a website with their plugin installed, they are abel to recognize your userId..
I'm trying to do it on my own on a couple of different domains I have, but I don't know where to start actually...
I set a cookie TEST when I visit site1.com with a random id value
but then when i visit site2.com what should I do? I can I read the previous cookie that contains my id?
When you set a cookie in site1.com, whenever the visitor visits site1.com, the cookie would be sent to this website. There is no involvement of site2.com at all. site.com can not and should not be able to receive the cookie that was set by site1.com.
If you are designing a page such that the user visits site2.com and the web page at site2.com contains an IFRAME that loads site1.com, then the cookie that was set by site1.com earlier would be automatically sent to site1.com when it tries to load it in this IFRAME.
Also, note that these things are usually not done with JavaScript. Some sort of server side scripting such as PHP, ASP.NET, Django, etc. is used to set and read cookies sent by the client. Setting a cookie in the user's browser involves adding a 'Set-Cookie' header to the HTTP response generated by the server-side script. In PHP this can be done using setcookie(). Once the cookie is set in the browser, when the user visits the same website again before the cookie expires, the browser sends the cookie as a 'Cookie' header. The server-side script can now read this cookie. In PHP, the cookies are available in $_COOKIE variable.