|
Posted by Scott Haneda on 03/18/05 10:26
on 3/17/05 6:32 PM, Brian Dunning at brian@briandunning.com wrote:
>> I suspect it's
>> for sub-domains of sites you administer and not completely different
>> domains altogether.
>
> If this is true, and it's not possible for a site to set a cookie for a
> completely different domain, then why do browsers have security options
> to allow or prevent this specific action? I'm thinking it must be
> possible, and that there's a reason for the domain option in
> setcookie() other than subdomains. Would just love to know how to make
> it work...
The domain option exists in scripting implementations solely for the purpose
of sub domains. It is not there to imply you can use it for more than one
domain, but to allow you to secure your sub domains. If you set a cookie
for .example.com then test.example.com and *.example.com etc will be able to
read it. This is not always what you want, in some cases, you may have
intranet.example.com and www.example.com and you would not want to set the
domain parameter to .example.com as that would allow one to read your
intranet cookies.
You will simply never make it work, it is designed to never allow this.
There has been one security issue I can think of to date that allowed it,
but it was patched promptly.
The day someone figured out how to set a cookie for amazon.com and read it
while under some other domain is the day all the news sites will be covering
that topic.
Cross domain cookies are indeed possible, look at microsoft.com, msn.com and
msnbc.com which indeed do share your cookies from one site to the next,
however, they do it by redirects and get/post methods, which is perfectly
legit since they control those domains. No one outside someone with access
to those servers could implement it.
You are misinterpreting the prefs in browsers, they can not do what you ask.
--
-------------------------------------------------------------
Scott Haneda Tel: 415.898.2602
<http://www.newgeo.com> Novato, CA U.S.A.
[Back to original message]
|