27

We have several websites on different domains and I'd like to be able to track users' movements on these sites.

  • Obviously cookies are not feasable, because they don't cross domain borders.
  • I could look at a combination of IP address and User Agent, but there are some cases where that does not work.
  • I don't want to use flash or other plugins.

Any ideas? Or am I doomed to rely on the IP/User_Agent combination?

BlaM
  • 26,721
  • 31
  • 89
  • 104

5 Answers5

21

You can designate one domain or subdomain to tracking and have it serve a 1x1 pixel image which you include in all pages you would like to track. Serve a cookie with the image, look at the tracking domain's server logs, voilà.

Simon
  • 10,182
  • 4
  • 30
  • 38
  • That won't work. Internet Explorer default security settings won't allow pictures from other domains (or iframes) to set any cookies. – BlaM Oct 19 '08 at 13:52
  • ... okay, revised: will work if I take http://support.microsoft.com/kb/323752/EN-US/ into account :) – BlaM Oct 19 '08 at 14:01
  • Wow, I actually didn't know that IE6 does this - I haven't used frames much recently. So you have to use the HTTP headers trick, or does setting cookies work when not using frames? – Simon Oct 19 '08 at 17:23
  • The problem that this is require extra work to be done. You have to include that in every page you need to track. – mohammedn Oct 24 '08 at 11:33
6

This solution requires no JavaScript, and works even if the user disables third-party cookies.

First, let's make sure the user agent is sending cookies:

If getCookie("c") == null then setCookie("c", "anyValue")

Then let the request finish (aka wait for next request)

Let's call our tracker cookie uaid.

If GET http://child.com/any-page and getCookie("c") is not null and getCookie("uaid") is null...

Redirect to http://parent.com/give-me-a-uaid?returnTo=http://child.com/any-page

On http://parent.com/give-me-a-uaid, check for cookie uaid

If not exists, create it and add it to response. If it exists, get its value.

Redirect to http://child.com/any-page?uaid=valueOfParentsUAIDCookie

Child.com sets cookie uaid with valueOfParentsUAIDCookie

Redirect to http://child.com/any-page

And of course, you are validating input, and white-listing your redirect URLs :)

Flows:

Scenario A

Scenario B

Scenario C

Neil McGuigan
  • 41,314
  • 10
  • 106
  • 137
3

This question is closely related to the Question Accessing Domain Cookies within an iFrame on Internet Explorer.

For Internet Explorer I need to take P3P Policies into account and set an additional P3P HTTP-Header to allow images to set cookies across domain borders. Then I can use simon's suggestion.

Community
  • 1
  • 1
BlaM
  • 26,721
  • 31
  • 89
  • 104
1

You can follow the same concept used in Google Analytics. Injecting javascript in the pages you want to track.

mohammedn
  • 2,808
  • 3
  • 20
  • 28
  • I could, but how would that help me to track users across domain borders? – BlaM Oct 19 '08 at 14:32
  • There are different types of tracking. Google Analytics will let you look back at a history of your many visitors behaviour, even crossing domains. Another type of tracking such as PHP session tracking is used to control what content is served to a single visitor. – Liam Oct 20 '08 at 12:01
  • google analytics does exacly what simon said, and it injects an 1x1 pixle image, this is how it can track across multiple domains, and it does this injection by JS – Gabriel Solomon May 28 '09 at 07:25
0

You do not give any context to your situation -just the basic problem. So it is difficult to give an answer that clearly fits. However, here are some techniques/mechanisms for passing information from one page to another, regardless of what domain is involved.

  • include hyperlink to a 1x1 pixel transparent gif image (sometimes called a "beacon")
  • rely on referrer information in HTTP request headers to identify page hyperlink is on
  • include extra parameters in hyperlinks to other site - assuming you run both sites
  • buy services of a company like Akamai to do user tracking for you
  • possibly use cross domain cookie mechanism in the future if standard is ever approved

Which techniques really come down to whether you can place software on all of the sites (servers) that the user will visit where you have interest - or you cannot place your software on all of them.

JohnnySoftware
  • 2,023
  • 16
  • 15