PHP Cookies for multiple Domains

Question

I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not d

Answer 1

When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com". Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".

The default value of domain is the host name of the server which generated the cookie response.

read up here.

you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).

you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.

This could look like so.

xss.php (located on cookies.example.com):

 $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));

for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.

another website embeds xss.php:

you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.

if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
 // read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.
}

this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.

a probably better way would be some sort of token exchanging protocol like openid.

amazon uses this too.

you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.