I have 2 domains:
www.site1.com
www.site2.com
Important Notes:
not sub domain!
Allow-Origin are enable on both domains.
have full Access to both of domains.
Question:
How to set a cookie on site1 & get that cookie on site2 ?
I want to use it on AngularJs, no matter if using jQuery in your examples.
There is a technique that multi-site companies like google employ to keep their users logged in for all their sites per single authentication.
This question is about how A can read a cookie of B. But my answer only tells you how A can set a cookie in B. Although this technique can be employed in a useful way for OPs favor, negative points are welcome. I will still spread the awareness.
Create a php file (lets say setcookie.php) in site B. This can set a cookie for site B.
setcookie("MyCookie", "subinsb.com", time()+3600);
Now if you can call this php file from any site, it will set the cookie for site B. A famous way to call this script is via a hidden img tag. So, the site A can have this image tag - which will set a cookie for site B.
<img src="http://www.siteB.com/setcookie.php" style="display:none;" />
When this image is loaded, you know the cookie for site B is set.
Interestingly, you can send data too to the cookie of site B through the URL. Your setcookie.php can read data via $_GET and include them in the cookie.
Here is the article.
Related
I am trying to access a cookie set on a subdomain (small.example.org) from the parent domain (example.org) and I would like to do this from a bit of Javascript within the page.
First of all I am setting a cookie for the domain small.example.org
document.cookie = "name=Mike; domain=small.example.org"
When I load small.example.org I can successfully see the cookie that I just set. When loading example.org I cannot see any cookies from small.example.org. Maybe not that surprising.
So I figured I need to make a request to the subdomain to include something onto the main domain, a script tag.
<script src="small.example.org/script.js"></script>
Now when I load example.org with the request to the script tag and have a look in the browser, I can see the cookie from small.example.org.
But when I try to access it from Javascript using document.cookie, I get nothing.
Is this the expected behavior? I thought you cannot access cookies from Javascript only if they had the HTTPOnly flag set.
Is there a way to go around this? The example above is very close to my actual use case scenario and unfortunately I cannot play too much with the architecture.
This is the expected behavior.
JavaScript can only access a cookie that if the domain of the cookie is either:
An exact match for the hostname of the current page
A substring of the hostname of the current page
example.org can't read cookies for small.example.org (although the reverse is not true).
Note that the Origin for JavaScript is determined by the URL of the HTML document the JS is running in, not by the URL that the JS was loaded from.
You can either:
Change the domain specified when you set the cookie
Dynamically generate the JS file on the server and insert the data using server-side programming (the browser will send the cookie in the HTTP request header when requesting the JS URL because the domains match).
I'd like to use Facebook Login/Connect to authenticate users on my website. The system consists of two things: 1) client side use of the FB JS SDK to auth the user and to set a (fbsr_) cookie, 2) retrieve this cookie on the server side and make a request against FB backend to get their email, that I'll use as an ID. (I'll use G+ login etc as well so email looks like a good common denominator.)
I pretty much copied what's here: https://developers.facebook.com/docs/facebook-login/login-flow-for-web/
The problem is, every time I refresh the page, I see that a new fbsr_${my_app_id} cookie is created. After 10 reloads in a row, I end up with 10 cookies that have the same name (and same domain) and different content. In other words, it looks like FB.init() always creates a new cookie and doesn't re-use the previous one (which becomes invalid). My observation is based on what I see in the "Cookies" window of Firefox in this case.
Am I doing something wrong? What can I do so the FB API reuses the previous cookie and doesn't create a myriad of cookies with the same name on my domain?
Thanks!
I have a script that does this:
window.open("http://www.myurl.com","myURL","width=400,height=200");
okay, this works. I have cookies set and sessions set. User can only access my page when they login. When I logout, this page will direct me to a login page from window.open() as predicted.
When I take out www in the window.open()
window.open("http://myurl.com","myURL","width=400,height=200");
the cookies and sessions doesn't apply? I can still go into the page even if I've logged out.
Now when I tried myurl.com in the original browser, it directs me to my login page where its supposed to.
Any ideas why? I mean I can just set it to www, but I would like to know what the reason is?
Thanks
I assume you're setting your cookies using PHP's setcookie() function (as that's what you commented on your question).
PHP will set these cookies to the domain the user is currently on. If the user is on www.mysite.com, the cookie will be applied to www.-subdomain only. You should instead give the domain PHP should set the cookie for:
setcookie('name', 'value', $time, '/', '.example.com')
Note the leading dot: .example.com, as it represents a wildcard so that the cookie is applied on all subdomains of example.com (that is, www.example.com and example.com, as well as other subdomains you might have).
For more information on this function: PHP docs
Is there any way to POST all the cookies(cookie name , value and expire time) available for a specific domain (e.g .example.com) using javascript ? . I own the domain that I need the cookies to POST from but I want to post them to a different domain (e.g example2.com). After the cookies are POST ed I also need to redirect the client to a specific link so I think some ajax may be required
Note : I do not need to read/write cookies on different domain. I simply need to send/transport the cookies names/values/exp of the current domain to a different domain as HTTP POST values
You can access the cookies using document.cookie. However, this only gives you the name and value - there's no way (that I know of) to get the expiration date of a cookie. It contains a string with all the cookies, in a name1=value1; name2=value2; name3=value3; format.
Sending it as a POST request to another domain can be done with cross-domain XHR, but if you don't need to read the HTTP response of the request, submitting a form should be enough. Simply create an invisible <form> with its method attribute set to "post", the action attribute set to the URL on the other domain and the target attribute set to the id of an invisible iframe, add the cookies as an <input>, and submit the form.
<iframe id="foo" style="display: none"></iframe>
<form id="bar" method="post" target="foo"
action="http://www.someotherdomain.com/handle_cookies.php">
<input id="cookies" type="hidden" name="cookies" />
</form>
<script type="text/javascript">
document.getElementById('cookies').value = document.cookie;
document.getElementById('bar').submit();
</script>
Its probably better to create the <iframe> and <form> dynamically, using JavaScript, instead of having it written in the HTML, but I'm too lazy to write that at 2:30AM, sorry :P
note: If the first domain is accessed on SSL, make sure the connection to the other domain is also over SSL, otherwise you'll be transmitting secured cookies over HTTP as plain text. You can remove the scheme part from the URL of the other domain (e.g. //www.someotherdomain.com/handle_cookies.php instead of http://www.someotherdomain.com/handle_cookies.php), making it use the same scheme as the one used where the cookies are sent from. I highly recommend doing that.
The link describes a method that comes close to the requirement. But it uses the window.name property instead of cookies to send data.
Google cache copy, because the original link seized to work for a while.
Using window.name transport for cross-site POST scripting
I think due to security reasons you can't read/write a cookie for a different domain. You can apply a specific path for the cookie to be available to such as a specific folder outside of your root. I think the way the browsers work is they find cookies for the site they are accessing at the moment, and use them accordingly. But allowing for cookies to be cross domains would open up to many threats. I think, if you really want though I can't promise something like this working fully.
If you build a script on the other domain that will write a cookie based on a trigger and then you use something like PHP cURL to bring the page into the domain your working with at the moment you may be able to invoke a cookie from the other domain. This is pure theory though not something I have tested. The idea is since you own both domains its assumed you also have access to both hosting servers. So with that you need something on both ends to work with one another to do what you want, rather then hope for a one sided solution.
Reference: http://www.quirksmode.org/js/cookies.html
If JavaScript is disabled what's a way of linking to the previous document in the session history?
Can PHP be used to simply link to the REFERRER or is there a better alternative?
Edit: Further to this, can previous post variables be retained?
You're really mixing the idea of previous document in client session history vs. server session history.
Since Javascript is client-side, executing a history.back() renders the control to the browser, which then decides which page was last in the history (keeping in mind that the last page may not be a page within your domain). When you're using server-side PHP, the HTTP header referrer is whatever the browser supplied to you. If your server-side URI wasn't called as a result of an explicit click on a link, form GET/POST, etc. , your script probably won't get a referrer header value.
If you only want to capture the referrer within your site's domain, you can start maintaining a breadcrumb trail server-side (in the user's session). eg: $_SESSION['breadcrumbs'] = array( 'page1', 'page2', ... )
POST variables can be persisted in the SESSION too though I've never seen a good reason to do so. If you're trying to return an error message for a form and expect to get back the POST, you shouldn't be saving the state of the original POST.