...

View Full Version : Cross Domain Cookies



NancyJ
10-06-2011, 02:51 PM
I have 4 domains and can access/alter code on all of them.

When someone visits domain1 or domain2 a cookie needs to be set that can be read by domain3 and domain4.

I've tried iframes with php setcookie (returns true but no cookie is set), javascript (sets the cookie on domain1/domain2 instead of domain3 and domain4) and iframes with javascript in them - cookie doesn't get set on any domain.

The only other thing I can come up with is when they log in to domain1 or domain2, redirect to domain3, then to domain4 and then where they were trying to get... there has to be a better solution.

(basically there are 2 main sites and admin site and a supplier site - the client wants anyone who has supplier site access to see something different on both the main sites and anyone who has admin access to see something else. )

mlseim
10-06-2011, 04:32 PM
Do these 4 sites happen to be on the same server?

NancyJ
10-06-2011, 04:39 PM
Yes.

/10char

ironboy
10-06-2011, 04:55 PM
Loading scripts are allowed cross-domain. So load a "dummy script" and set the cookie serverside whilst doing so.

(Another traditional trick is doing the same thing with an image...)

NancyJ
10-06-2011, 05:16 PM
Loading scripts are allowed cross-domain. So load a "dummy script" and set the cookie serverside whilst doing so.

No dice, I loaded the cookieset() php pages as javascript instead and still no cookie getting set in firefox or IE

mlseim
10-06-2011, 06:26 PM
Do the users on domain1 and domain2 have to log-in before they can go to domain3 or domain4?

NancyJ
10-06-2011, 08:36 PM
Do the users on domain1 and domain2 have to log-in before they can go to domain3 or domain4?

No but its ok for them to see the regular content if they've never logged in (or haven't logged in since the changes we made)

mlseim
10-06-2011, 10:36 PM
How is the script or domains supposed to know if they are admin or not?
What if I try visiting domain3 or domain4 ... ???

NancyJ
10-06-2011, 11:15 PM
How is the script or domains supposed to know if they are admin or not?
What if I try visiting domain3 or domain4 ... ???
Because they have logged into the admin site. If you visit domain3 or domain4 it should appear normally as you haven't logged into either the supplier or admin websites.

eg.
domain1 = supplier website
domain2 = admin website
domain3 = main site
domain4 = main site 2 (different branding serving a smaller subset of product)

So if person A logs in to domain1 a cookie (or something) needs to be set that domain3 and domain4 can read so they know to show supplier specific content when that person visits domain3 or domain4
Same for person B with domain2 - when they log in something needs to be set that can be accessed by domain3 and domain4 that identifies person B as an admin so that they can see admin related content

(or more specifically, the client wants to block certain content from everyone in a particular country and anyone who has access to the suppliers site, except all their admin staff are in the country they want to block and they don't want it blocked for their staff .... so hide content if user in country or is supplier unless is admin is what we're trying to achieve)

All 4 domains reside on the same physical server and I have access to all of them to add/change code

mlseim
10-06-2011, 11:57 PM
Do you log them in ... by using a MySQL database to check username/password?

Create a new column called "level" ... when they log-in, update that column.

I think all of your scripts, even different domain names, can access the same
MySQL database as long as it's on the same server. At least I think that is true.

Test it out....
Try to connect and query the same MySQL database from all 4 domains.
See if you can do it.


.

NancyJ
10-07-2011, 07:17 AM
All the domains do connect to the same database but without any token to identify them on the other domains how will they know which user to look up? It wouldn't need to look them up if it knew who they were.

mlseim
10-08-2011, 06:26 AM
well ... you got me there :o


I guess this might be what you can do ...
http://code.google.com/p/google-api-php-client/wiki/OAuth2

You have people use their existing Google account login (or they can register for a free account).
When the person logs into their Google account, they can access
any of your websites that you allow them to access. You choose which
Google accounts can access your site(s).

This is all free (no cost), but the control is sort of "out of your hands".

I've never done this yet, but I'm going to experiment with it.
I think I might find this useful for different sites I use.

NancyJ
10-08-2011, 07:49 AM
We already have login functions for the admin and supplier sites. The 2 'main' sites don't require login. I can't change those - well at least not as radically as that. The process needs to be completely invisible - lets just say, if the suppliers were given a choice about this, the answer would be 'no' and since the point the exercise is the reduce the number of supplier questions he has to deal with, changing their site to require a google login would probably defeat the point.
TBH, I don't think this is going to be possible. I just checked out the site that was claiming to be able to do it and which my client was using as proof that it must be possible - and it doesn't seem to work. They have a demo and it didn't work for me in IE or firefox.

mlseim
10-08-2011, 06:14 PM
I think you are correct ... no way to do it.
If someone has a klunky method ... it would most likely be a security problem.

NancyJ
10-10-2011, 11:11 AM
When the client suggested we make all the bits of content that are supposed to be separate load in individual iframes... I went with the chained redirect at login. Its kludgey but it works and its seemless to the user.

mlseim
10-10-2011, 12:27 PM
I guess if it were me, since all 4 sites are really focusing on a database, I would create one admin script that could access all databases from one script. Do all of the database queries, crunching, displays form any 4 of the databases without having to go to any of the 4 sites in the first place. It's possible you may not even need 4 domains?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum