|
Posted by Raj Shekhar on 03/19/05 22:04
Scott Haneda <lists@newgeo.com> writes:
> Cross domain cookies are indeed possible, look at microsoft.com, msn.com and
> msnbc.com which indeed do share your cookies from one site to the next,
> however, they do it by redirects and get/post methods, which is perfectly
> legit since they control those domains. No one outside someone with access
> to those servers could implement it.
I might be wrong on this analysis, but here is how I think the MSN
thing works
- When you go to hotmail.com, it redirects you to login.passport.com
- If you do not have your cookie (from the passport.com domain), which
identifies you as a valid MSN network user, you are asked to sign
in. After successful sign on, your browser gets a passport cookie.
- The passport now redirects you to the hotmail.com and it passes your
user information using the url. I think it passes some sort of
session id. Since in the background, passport and hotmail share the
same database, hotmail can check on a user's authentication based on
the session id passed in the URL.
- The same thing happens when you go to msnbc.com. You are first
redirected to passport.com and your passport.com's cookie is
examined.
Thus, even though you think that msn, hotmail and msnbc are sharing
the same cookie, they are not. It is the passport.com that is doing
the dirty work of setting and examining the cookie.
--
Raj Shekhar Y! : Operations Engineer
MySQL DBA, programmer and slacker Y!IM : lunatech3007
home : http://rajshekhar.net blog : http://rajshekhar.net/blog/
Navigation:
[Reply to this message]
|