|
|
Posted by Marek Kilimajer on 06/13/49 11:17
mbneto wrote:
> Hi Richard,
>
> The setcookie manual and the cookie specification tells otherwise.
>
> bool setcookie ( string name [, string value [, int expire [, string
> path [, string domain [, bool secure]]]]] )
the domain parameter is restricted to third level domains (or 4 for top
level domains like .co.uk). From domain.net, you can set domain to
secure.domain.net, but not to anotherdomain.com.
>
> In fact one of the tricks people use is to create a cookie with the
> right values in order to bypass the site's security.
They use curl or edit the browser's cookie file
>
> On 5/14/05, Richard Lynch <ceo@l-i-e.com> wrote:
>
>>On Sat, May 14, 2005 4:45 am, mbneto said:
>>
>>>They are in the same machine. My major concern is with security and
>>>the hability to make sure if a user logs in, or adds something to a
>>>"shopping cart" in one domain it will be available to the other
>>>domain.
>>>
>>>Can I set call setCookie twice with the same variable name but
>>>different domain ? I could set the sessionid and call session_start
>>>with the propagated id when/if a user crosses from one domain to
>>>another.
>>
>>No, you can't call setcookie with a domain name AT ALL.
>>
>>If you could, what would stop you from setting Cookies for *my* site? Or
>>msn.com? Or Sothebys.com? Then you could just take all their customers'
>>money, and not need to worry about your own shopping cart.
>>
>>If you want to transfer Cookies from two domains you control, it's up to
>>you to do that with your own hack.
>>
>>It would make a lot more sense to just put all the shopping on one domain,
>>or have different carts for two domains.
>>
>>It's more than a little odd to have the same cart on two sites from a user
>>perspective... Something that's likely to confuse customers, and make
>>them think your site is insecure if you can't even keep your shopping cart
>>confined to one site.
>>
>>--
>>Like Music?
>>http://l-i-e.com/artists.htm
>>
>>
Navigation:
[Reply to this message]
|