Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts

    Cross Domain Cookies

    I have 4 domains and can access/alter code on all of them.

    When someone visits domain1 or domain2 a cookie needs to be set that can be read by domain3 and domain4.

    I've tried iframes with php setcookie (returns true but no cookie is set), javascript (sets the cookie on domain1/domain2 instead of domain3 and domain4) and iframes with javascript in them - cookie doesn't get set on any domain.

    The only other thing I can come up with is when they log in to domain1 or domain2, redirect to domain3, then to domain4 and then where they were trying to get... there has to be a better solution.

    (basically there are 2 main sites and admin site and a supplier site - the client wants anyone who has supplier site access to see something different on both the main sites and anyone who has admin access to see something else. )

  • #2
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    Do these 4 sites happen to be on the same server?

  • #3
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Yes.

    /10char

  • #4
    Regular Coder
    Join Date
    Sep 2011
    Location
    Sweden
    Posts
    154
    Thanks
    1
    Thanked 22 Times in 22 Posts
    Loading scripts are allowed cross-domain. So load a "dummy script" and set the cookie serverside whilst doing so.

    (Another traditional trick is doing the same thing with an image...)

  • #5
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Quote Originally Posted by ironboy View Post
    Loading scripts are allowed cross-domain. So load a "dummy script" and set the cookie serverside whilst doing so.
    No dice, I loaded the cookieset() php pages as javascript instead and still no cookie getting set in firefox or IE

  • #6
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    Do the users on domain1 and domain2 have to log-in before they can go to domain3 or domain4?

  • #7
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Quote Originally Posted by mlseim View Post
    Do the users on domain1 and domain2 have to log-in before they can go to domain3 or domain4?
    No but its ok for them to see the regular content if they've never logged in (or haven't logged in since the changes we made)

  • #8
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    How is the script or domains supposed to know if they are admin or not?
    What if I try visiting domain3 or domain4 ... ???

  • #9
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    Quote Originally Posted by mlseim View Post
    How is the script or domains supposed to know if they are admin or not?
    What if I try visiting domain3 or domain4 ... ???
    Because they have logged into the admin site. If you visit domain3 or domain4 it should appear normally as you haven't logged into either the supplier or admin websites.

    eg.
    domain1 = supplier website
    domain2 = admin website
    domain3 = main site
    domain4 = main site 2 (different branding serving a smaller subset of product)

    So if person A logs in to domain1 a cookie (or something) needs to be set that domain3 and domain4 can read so they know to show supplier specific content when that person visits domain3 or domain4
    Same for person B with domain2 - when they log in something needs to be set that can be accessed by domain3 and domain4 that identifies person B as an admin so that they can see admin related content

    (or more specifically, the client wants to block certain content from everyone in a particular country and anyone who has access to the suppliers site, except all their admin staff are in the country they want to block and they don't want it blocked for their staff .... so hide content if user in country or is supplier unless is admin is what we're trying to achieve)

    All 4 domains reside on the same physical server and I have access to all of them to add/change code

  • #10
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    Do you log them in ... by using a MySQL database to check username/password?

    Create a new column called "level" ... when they log-in, update that column.

    I think all of your scripts, even different domain names, can access the same
    MySQL database as long as it's on the same server. At least I think that is true.

    Test it out....
    Try to connect and query the same MySQL database from all 4 domains.
    See if you can do it.


    .

  • #11
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    All the domains do connect to the same database but without any token to identify them on the other domains how will they know which user to look up? It wouldn't need to look them up if it knew who they were.

  • #12
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    well ... you got me there


    I guess this might be what you can do ...
    http://code.google.com/p/google-api-...nt/wiki/OAuth2

    You have people use their existing Google account login (or they can register for a free account).
    When the person logs into their Google account, they can access
    any of your websites that you allow them to access. You choose which
    Google accounts can access your site(s).

    This is all free (no cost), but the control is sort of "out of your hands".

    I've never done this yet, but I'm going to experiment with it.
    I think I might find this useful for different sites I use.

  • #13
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    We already have login functions for the admin and supplier sites. The 2 'main' sites don't require login. I can't change those - well at least not as radically as that. The process needs to be completely invisible - lets just say, if the suppliers were given a choice about this, the answer would be 'no' and since the point the exercise is the reduce the number of supplier questions he has to deal with, changing their site to require a google login would probably defeat the point.
    TBH, I don't think this is going to be possible. I just checked out the site that was claiming to be able to do it and which my client was using as proof that it must be possible - and it doesn't seem to work. They have a demo and it didn't work for me in IE or firefox.
    Last edited by NancyJ; 10-08-2011 at 07:51 AM.

  • #14
    Master Coder
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,492
    Thanks
    8
    Thanked 1,089 Times in 1,080 Posts
    I think you are correct ... no way to do it.
    If someone has a klunky method ... it would most likely be a security problem.

  • #15
    Senior Coder NancyJ's Avatar
    Join Date
    Feb 2005
    Location
    Bradford, UK
    Posts
    3,174
    Thanks
    19
    Thanked 66 Times in 65 Posts
    When the client suggested we make all the bits of content that are supposed to be separate load in individual iframes... I went with the chained redirect at login. Its kludgey but it works and its seemless to the user.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •