I'm trying to understand the principle behind the Facebook plugins.
As I understood they set a cookie when you login, and then whenever you visit a website with their plugin installed, they are abel to recognize your userId..
I'm trying to do it on my own on a couple of different domains I have, but I don't know where to start actually...
I set a cookie TEST when I visit site1.com with a random id value
but then when i visit site2.com what should I do? I can I read the previous cookie that contains my id?
When you set a cookie in site1.com, whenever the visitor visits site1.com, the cookie would be sent to this website. There is no involvement of site2.com at all. site.com can not and should not be able to receive the cookie that was set by site1.com.
If you are designing a page such that the user visits site2.com and the web page at site2.com contains an IFRAME that loads site1.com, then the cookie that was set by site1.com earlier would be automatically sent to site1.com when it tries to load it in this IFRAME.
Also, note that these things are usually not done with JavaScript. Some sort of server side scripting such as PHP, ASP.NET, Django, etc. is used to set and read cookies sent by the client. Setting a cookie in the user's browser involves adding a 'Set-Cookie' header to the HTTP response generated by the server-side script. In PHP this can be done using setcookie(). Once the cookie is set in the browser, when the user visits the same website again before the cookie expires, the browser sends the cookie as a 'Cookie' header. The server-side script can now read this cookie. In PHP, the cookies are available in $_COOKIE variable.
Related
I am learning the basic knowledge of Same-Origin-Policy and cross-site-request.
The question is can I get cookies for current domain and send them to another domain by jsonp ?
For example, there are two websites. www.A.com and www.B.com.
If user login to A, there are some cookies in user's browser for A. We know that we cannot send XHR to B with cookies because of the restriction of Same-Origin-Policy. But can we get the cookies using js and send them as parameters using jsonp.
such as:
<script>http://www.B.com/xxx?cookies=REALCOOKIES ?
If I am reading this right, this is essentially how Google Analytics cross-domain tracking works. When a user clicks on a link to another domain, the cookie values are appended onto the querystring for the link which are then picked up on the other end and then turned back into a cookie (or whatever it is you want to do with it).
If you are talking about reading cookies from one domain to the other, you can do this server-side IF you have some sort of asset request that is available to both domains e.g. an image. This is (in essence) how affiliate, media banner, facebook tracking works, i.e. the concept of ads "following" you around while you are surfing (do people still surf?) the internet.
If you are the developer for both domains you could also write an api (server-side) that makes a request to domain www.A.com and retrieves the required cookies.
I'm developing a web app using Express on Node. I'm trying to implement a proxy login functionality where an user is directly logged in and redirected to another site after he logs into to my site.
In my routing function I'm writing the following code
res.cookie('fanws', 'value' );
res.redirect('http://hostname/path'); // another site
I used the debugger in chrome and saw that the cookie is not getting added in the redirected page.
I'm running the app on localhost and the site which i'm redirecting to is hosted on another server on local network.
What should I do to add the cookie on the redirected path?
In a nutshell, you can't set a cookie in a browser or read a cookie for a site that you do not control the server for or have your own client code in that page. The cookie system is designed that way on purpose for security reasons. So, from a page or server for http://www.domain1.com, you cannot read or set cookies for some other domain.
If you have code in the pages of both domains, then you can pass some info to the second page (most likely as a query parameter) that tells the code in the redirected page to take some action (like set a cookie), but you must control the Javascript or server in that second page in order to be able to do that.
The cookie in your nodejs code goes on the current request/response which means it is associated with that domain in the browser when the response from the current request is processed by the browser.
res.redirect(...) returns a 302 response with a new URL as the response to the current request. The browser then sees this response code and makes a new web request to the new page. You cannot set cookies from the server for that new domain unless you have the server for that domain also. This is a fundamental aspect of cookie security. Cookies can only be accessed via Javascript in the browser from the page in the same origin as the cookie belongs and servers can only set cookies for the particular origin in the particular request that they are processing.
#jfriend00 nice explanation.
#Kiran G you can pass in query param in the same redirect, no need to set cookies in express just sent in query param as below.
i.e.
res.redirect(`http://hostname/path?fanws=${value}`);
I am implementing one advertising system in which when one user puts down script code into their website A. what I want to do at that time is set up a cookie into website A while it display response or resource of website B(Advertising System), so in present day when user comes again , I can log it's entry. I have read down this question and came to know that it is possible to set cookie into other website A when that website A is display content from another website B
In script I am executing one rest API and returning one response like below..
source_image = "http://example.com/media/format.png"
response = Response({'success':source_image})
response.set_cookie( 'cookie_name', 'cookie_value' )
return response
Now I am able to see cookie set in browser of the response of this url. But when I reload it ,cookie does not get display. Also why it is not getting display in the cookies section of the site in which I have put down script code.
Am I doing right thing to set up a cookie? And I have tried to set cookie's expiry date for 1 day. But still it is getting destroyed..Please help..
There are a few important things to know about cookies and browsers and how they interact across domains.
Websites can set cookies for their own website
Websites cannot set cookies for a different website
Cookies can be set on the response or using things such as JavaScript
The first two may seem confusing, especially when some sources say they are possible. It's important to note that they only affect cases where the response is directly setting the cookie using the Set-Cookie header, which allows a website to directly set a cookie. There are some special cases for things like subdomains, but in general you should not expect browsers to respect cookies set on other domains that you don't control.
If you were allowed to arbitrarily set cookies on other websites, this would open the door for websites to arbitrarily set and unset cookies you are using, even if they are unrelated. This would include the ability to log someone out across domains in just the response alone, which isn't possible.
The third point is important for cases like advertising, as cookies can be set using the Set-Cookie header (or response.set_cookie in Django) or using JavaScript through the document.cookie property. As JavaScript can included from any domain using the src property on <script> tags, any domain can manage cookies on another domain if it is included through JavaScript. This is important to how many analytics services, such as Google Analytics, work becuase it allows them to store unqiue cookies on each website for each user that is being monitored, even though they do not have full control over the response. They also typically use tracking beacons in the form of images to send data back to the external domain and associate it with the stored cookie.
The answer you linked to talks about this with images, but explains that it does not actually set the cookie on another domain. The cookie which is being set using the image or frame is stored only on the external domain, and cannot be accessed from the domain including the remote image.
Make sure that the HTTP header of "Set-Cookie" is being passed to the client in the HTTP response.
Try adding in the "domain" attribute for the cookie so the browser knows where to send the cookie.
I've got a Web App that sets a cookie in it's Javascript code which subsequently gets sent to the server on all HTTP GET requests. If I open a new Tab in Chrome and access a different page on the same server the server is seeing the cookie set in the Web Apps JS code, even though the Javascript code on this new page doesn't set any cookie. What gets weirder is I can close all Browser Tabs that are open on the site and open a new one on a non-existent 404 page and I continue to see a cookie set both when I look at the server request and in the Browser using EditThisCookie.
I don't understand why I'm seeing cookies on pages other than the Web App's page.
Cookies are built to behave in these manners. While defining cookies, expiry time is also set with that. With each request the cookie is sent to the server until it is expired for that domain.
If you wish that your cookie not to sent on next browser session, you should create non-persistent cookies.
Note that cookies can be created/deleted both from client(via javascript) and server side.
You can find below link helpful.
http://www.w3.org/2001/tag/2010/09/ClientSideStorage.html
http://www.w3schools.com/js/js_cookies.asp
I have an iframe that loads an external page, that needs to be logged to make appear what I want. Actually, if i set the iframe the normal way, the iframe loads the external-domain-login page. What I actually have is something like this:
What I need to do is to set some cookies for that source to make pretend the external domain I'm "logged". That can be done (or what I think this can be done) is setting to the request the cookies that the login response gave me.
I'm actually able to get those cookies, but don't know how to set them to the URL from the iframe.
Thoughts?
Thanks!
If the iframe is on a separate domain, you can't access it directly via javascript from your other domain so you won't be able to directly transfer your cookie from domain1 to domain2 using javascript.
If you control code in both domains, then there are some workarounds. Here's one method that uses a single place to login and the login credential is transferred via URL parameters: Cross Domain Login - How to login a user automatically when transferred from one domain to another
You could conceivably use the URL transfer mechanism by logging in on the first domain and then setting the .src URL in the iframe to have the login credential in the URL. When the second domain loaded in the iframe, it would see the login credential in the URL, grab it, turn it into a cookie value that it wrote on itself and the refresh itself (thus now looking logged in). You will obviously need to control javascript in both domains to use either of these techniques because one domain's javascript can't put a cookie into the other domain directly.
Another way that two cooperating domains can communicate is with window.postMessage() so the login credentials could be sent to the iframe window. It's javascript would have to receive the message and turn it into a cookie and then refresh it's page so that the server saw the login cookie on the 2nd domain.