Is it possible to delete a cookie on one site when being redirected to that site from another site? Or is that impossible due to security restrictions?
Site A has a login form that submits to and logs in as Site B. When the user logs out from Site B after using Site A's login form, Site B forwards them back to Site A. Is there any way for Site A to delete a cookie on Site B without access to Site B's backend/code?
No, not if site A and site B are on different domains. There is a domain attribute that can be set in the Set-Cookie header, but this must be either an exact or partial match for the current domain. By partial match I mean that it is possible for foo.example.com to set a cookie for example.com but not for ample.com.
Source RFC 6265 (HTTP State Management Mechanism):
When the user agent "receives a cookie" from a request-uri...
If the canonicalized request-host does not domain-match the
domain-attribute:
Ignore the cookie entirely
Bear in mind that a cookie deletion is really receiving a cookie with an expiry date in the past so that is why the above still applies.
Site B would have to implement a mechanism to allow this to happen.
AFAIK this is not allowed for - as you guessed - security reasons.
Take a look here for further details: http://en.wikipedia.org/wiki/Same_origin_policy
Related
I have 2 domains, (NOT SUBDOMAINS)
Domain A
Domain B
My users create a account on Domain A and create / login a new account on Domain B with the same info by just clicking a button with "login with Domain A". A better way to explain is: i would like a "login with google" on domain B and domain A would google in this question.
My question is: what would be the best way to approach this, I don't want to share a database across the 2 domains so I thought maybe this could be done with cookies like in this post https://stackoverflow.com/a/6816659/19055225, would this be a good idea if I encrypt the cookies or are there better ways?
The timeline of a user wanting to login on domain B with domain A's login:
Creating account on domain A:
going to domain B to create a account with the created account on domain A, the user will be redirected to domain A with an allow form.
When users allow the creating of an account with the known data on domain A they will be redirected to domain B where they get a succes messages (the data is shared with domain B)
users can now login on domain b with the account from domain A (each login click they will be redirected to domain A for an "login" button to login on domain B)
What would be the best approach for this project?
i already made the html,css and php/js ready forms for every screen.
In essence, what you're asking for has nothing to do with the browser, nor should it; you would never want to share information like that cross-domain, as anything (the users data) could be stored/taken from one website to another (i.e., a company that uses your data for whatever they want).
In my opinion, the question should be directed more toward the backend/database. You have a few solid options:
Share the same database (you said you didn't want to, but feels like it should still be said)
Create a "conversation" between servers (http requests, web sockets)
Database replication (though this isn't easy to make work well in real time, not to mention scale, without tools like rabbitmq)
Share information via encrypted data in the url with a key both servers have in their env to decrypt (less ideal option imo)
My website's landing page redirects to authentication provider domain [not controlled by me] where credentials are entered and on success returns to reach Home Page (back to my domain).
All this is fine except if I check the referrals of HomePage on Adobe Analytics it shows me the URL's from authentication domain only. I understand Adobe uses javascript 'r' variable to populate, how can I re-populate it with original referral?
In general, you can override the reported referring URL by populating s.referrer
Ideally the auth server's redirect directive or server-side scripting in general should be configured to carry over the original referrer.
But you said you don't have control of that server, so your only other option is to push the current url to a cookie and then read the cookie on next page view and push that to s.referrer.
But.. this may not be a perfect solution for you, depending on how exactly your site flows.
I am using a node webshot library to take a image of an web site say at http://x.y.z.com/blah . If the website exists I get a nice image. If the website does not exist I may or may not get an error. If I get an error case I can use a default image. However, I am finding out that some domains are being redirected to the infamous Domain selling sites or a "search for" Domain site. For example, http://notawebsite.com.org is redirected to http://www.com.org/?notfound=notawebsite.com.org. I have also checked dns to see if I can invalidate the site ahead of time but it resolves fine ( to the www.com.org address ). So is there anything I can do to determine if a url site is redirected to one of theses Domain search/selling sites?
Is there a standard way of Identifying 'Domain not Owned' sites when using http/https?
No, not really. In the example you cite, the server for http://notawebsite.com.org returns a 301 redirect. It seems to me that you just decide that if you're getting a redirect to a different domain (and not just a redirect to a different page on the same domain and not just a redirect from http to https on the same domain), then the URL you were attempting to access is apparently not active on its own.
There is no standard way to know whether the site you are redirect to is just a domain seller vs. an actual active domain. You could manually investigate a bunch of sites you get redirects on and teach your code how to identify some common domain sellers doing this, but that would be a somewhat unending task that probably need regular human intervention to tell the difference between a real site and a domain selling site. You could, in the end, built up a blacklist of domain seller's domains and refuse to catalog any URL that redirects to any domain on your blacklist. But, it would probably take some manual intervention to build and maintain the blacklist.
You also have no way of knowing for sure that all URLs on a given domain where you're getting a redirect do a similar redirect, but you can certainly say that the URL you tried to get the snapshot from is not directly active on its own. If the user goes to that domain in their browser, they won't see any content for that domain in their browser because the redirect will change the URL.
So is there anything I can do to determine if a url site is redirected to one of theses Domain search/selling sites?
Build your own blacklist of reseller domains that show up in redirects like this. Then whenever you attempt to request a page URL for purposes of grabbing a webshot and you get a 3xx status code back from the request, you check the redirect domain to see if it is on your blacklist.
External website A offers a form to be filled out only once. When a user has filled it out, the form will be hidden when he calls the website A again due to cookies.
Now I want to detect whether a user has been on website A. Basically, I think, I need to request website A "in the name of" this user and parse the response.
I tried using embedding, iframe, cross domain requesting, cross domain with proxy server. Either the browser restrictions block me or I can request the website, but with another session!
How can this be done?
Without the co-operation of the other website: it cannot. Browsers are designed to make that sort of invasion of privacy impossible.
If the other site is willing to expose that information, you could use Ajax via JSONP or CORS, or you could redirect to user to a URL on the other site which, in turn, redirects back to your site with a query string that indicates if the form has been filled out.
I'm setting up a site whose entire purpose is essentially a landing page. This page will create a cookie when the user fills out the proper form. To handle cookies I'm using this jquery plugin.
My problem is, I have a separate site that should only be able to be viewed if the user has the cookie from the first site (the landing page). So far, in my testing, I have been having trouble since the cookie that I set at my landing page doesn't appear on the other site. The landing page is being tested on localhost, but the site that requires the user to have the cookie before viewing is live on the internet.
Here is how I set the cookie:
$('#submit')[0].addEventListener("click", $.cookie("test-cookie", "test-value"));
Then, at the other site I have something like this to check the cookie:
var cookie = $.cookie("test-cookie");
if (cookie != null && cookie != "") {
console.log("TRUE");
} else {
window.location = "http://www.thelandingpagesite.com";
}
Now, I'm not sure if the problem is with cookies (I don't know if they can be so easily transfered between sites, as far as I am aware of, they exist on the Users computer), or if I'm just setting it up wrong. Any help would be greatly appreciated! Thanks.
As far as I am aware, one site (www.example.com) cannot retrieve cookies from a browser for another site (www.Second-example.com).
It would be a major security breach if this was allowed as it would be very easy for someone to steal your cookie and gain access to your accounts and personal details.
I am afraid you are going to have to use some mechanism other than cookies.
You could store their IP as you suggest in a a comment on another answer. Just be aware that anyone on that Lan could access the page... for example if a student in a school fills out your form... the whole school would have access to the page you are trying to restrict.
Cookies are stored by the user's browser, but they are stored with a reference to the site that set them.
Site A cannot set a cookie for Site B.
Cookies are used to (among other things) store preferences. Allowing any arbitrary site to set a user's preferences for any other arbitrary site would invite vandalism.
Cookies are set for a specific domain or set of subdomains. They can be readable across multiple subdomains, so it would be possible to set a cookie for domain '.domain.com' that would be sent along with all requests to 'www.domain.com', 'landingpage.domain.com', etc.
If ultimately you would be having your landing page and the page they are be sent to on the same root domain, this would be possible.
It doesn't seem like authenticating a user is an issue with your question, you merely want the user to visit Site A before they can visit Site B.
This question might be of some use:
Cross domain iframe content load detection
On Site B you could have an Iframe pointing to a page on Site A which in turn loads an Iframe pointing to a page on Site B. If the Iframe pointing to Site A doesn't have the cookie, it could pass that information to the Iframe of Site B (by loading a different page perhaps), which when loaded could then call parent.parent.cookieNotSet() (or whatever you decide to call that function) so that Site B would redirect to Site A.
I hope that makes sense. It's a big workaround, but required to get around cross-domain issues. All of this would obviously require that JavaScript is enabled on the browser but what browser doesn't have JavaScript enabled nowadays?