0

I have a domain where I've set a cookie: myDomain.com

My problem is that I need to access that same cookie from my subdomain which is physically in the same server but separated as domain / addon domain.

So, I have myDomain.com = Main Domain

and myAdonDomain.com = Addon Domain

Is there anyway to have a cookie shared by both?

Kitsune
  • 7,891
  • 2
  • 22
  • 24
Satch3000
  • 40,202
  • 83
  • 203
  • 337
  • is it a on a subdomain or a totally different domain? (e.g. subdomain.mydomain.com and mydomain.com OR myotherdomain.com and mydomain.com) – Stelian Matei Feb 13 '12 at 13:14
  • 1
    It's not possible. Users browser would prevent sharing this cookie. – rabudde Feb 13 '12 at 13:15
  • 1
    If there are different domains, checkout this question http://stackoverflow.com/questions/4906907/php-cookies-for-multiple-domains – Stelian Matei Feb 13 '12 at 13:15

3 Answers3

0

yea as long as you know how to access it... you can access it from anywhere. Facebook and various advert services use such cookies to track you and your behaviour to target adverts specifically tailed for you

read

Stevanicus
  • 6,876
  • 7
  • 43
  • 66
  • These are using JavaScript libraries running on the parent site (ie google.com is reading the google cookie). I don't know if this plays a role for Satch or not. – AlexC Feb 13 '12 at 13:19
0

No, its not possible, Browsers do not allow it.

If you want to make this happen, do this at server side.

Make one website check, whether the session is available on other website, if yes, then act accordingly.

Note: You can't either share subdomain cookies with your main domain. Browser treats them as different. This is the same case as co.in can access all the cookies and sesions of mysite.co.in (which is not allowed)

EDIT (for alexC on SSO)

  • SSO implementation doesn't necessitates having cookies anywhere.

Lets take an example:

  • Google has an SSO server which does User's Session management on it. (lets name is sso.google.com dummy name)

  • When we open Gmail (for the first time)

  • Gmail initially has no session cookies set for it (even if the user has logged in to other google services like plus.google.com or orkut.com)

  • So, Gmail site redirects the user to sso.

  • Here, if the user is logged in, the cookies is already set, so this server identifies its. If the user is not logged in, a login page is shown to the user, and by which the user is logged in. The user is logged in to the sso.google.com and not on gmail.com .

  • The sso.google.com then redirects user to gmail.com with a Cookie or a GET variable which contains the session token (a random generated unique session identifier string).

  • This session token is then stored by Gmail in its own session. So on every further clicks, this session token is internally checked with sso.google.com whether if the session is still valid, and if yes, the pages are server or else, the user is again redirected to the sso site.

  • Same applies to any other google products. And this is how session management across multiple products are done. This model is implemented mostly in SaaS based applications, where there are multi-tenants to a product.

  • And as you can see this flow, there is no requirement of a cookie in all this. And even if cookie were at all relied, the user logout from one application, would had given no intimation to current application, and hence integrity and security problem would arise.

Hope this clarifies things on SSO implementation.

linuxeasy
  • 5,237
  • 6
  • 29
  • 38
  • No, this isn't a correct comparison, co.in isnt a domain, it's a Root. Of course things can't share across a root, but if you look at Googles new privacy policy, it says it has one cookie across all it's domains. – AlexC Feb 13 '12 at 13:32
  • Google uses a concept called SSO (Single Sign-on)! the SSO is internally a different server itself which does the session management, and all other sites say plus.google.com, orkut.com, google.com call to this SSO site internally and validate the user. its not something done by a browser. Get your concepts clear! – linuxeasy Feb 13 '12 at 13:35
  • I have the concepts clear, I've implemented SSO in web and non-web environments. SSO CAN do session management, but it only refers to authentication method. In a web environment, SSO has no way of keeping track of a session after you close your browser except cookies. They don't get the MAC address, and some browsers like Opera don't support NTLM, so they have to track you through cookies – AlexC Feb 13 '12 at 14:03
  • @AlexC updated my answer. And there is no requirement of knowing mac or sharing cookies accross domains. – linuxeasy Feb 14 '12 at 13:37
-1

If it's a subdomain, the cookie can be shared (or mydomain.com and IMissWhitney.mydomain.com). If they are different domains, the cookie can't be shared.

EDIT: linuxeasy is right, the documentation was a bit off point and old, so here's a newer link from 2011 specifically on PHP. +1 linuxeasy

http://www.innovativephp.com/sharing-cookies-across-multiple-domains-hosted-on-different-servers/

AlexC
  • 1,031
  • 12
  • 23
  • subdomains can't share cookies! its like saying --> com can share all its cookies with google.com, yahoo.com – linuxeasy Feb 13 '12 at 13:18
  • I've done this on about 9 domains. It IS doable. It requires some server setup and correct coding, but you CAN share. – AlexC Feb 13 '12 at 13:20
  • what kind of server setup and what kind of coding? – linuxeasy Feb 13 '12 at 13:22
  • I'm on an iPod right now, so I'll respond better when I get to the office, but here's another example http://stackoverflow.com/questions/1135734/its-possible-to-share-a-cookie-between-some-subdomains – AlexC Feb 13 '12 at 13:25
  • 1
    the documentation you have mentioned is about 15 years old. I don't think its possible either! – linuxeasy Feb 13 '12 at 13:39
  • @linuxeasy I'm not trying to spar with you, I'm here to help Satch3000 , but I'm telling you I've shared cookies across subdomains in WAMP, LAMP, and ColdFusion on windows and linux. The applications are still running. It's doable, all you have to do is set your cookie to the superdomain. – AlexC Feb 13 '12 at 14:10
  • @Satch3000 If you look at the documentation here: http://php.net/manual/en/function.setcookie.php and look at the comments under "domain," you'll be able to see that as long as your subdomain falls in the parentage of the cookie, it will be able to be shared. – AlexC Feb 13 '12 at 14:11