Posted by d on 04/16/06 20:59

"Bruno" <2005b@TimesOnThe.Net> wrote in message
news:D0v0g.106$DR6.12641@news20.bellglobal.com...
> Yes, but it does actually work on any browser I have seen aside from IE
> (including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>
> The page in the frame does have a domain associated with it, shouldn't the
> cookie be available to that domain? (But not necessarily to the domain of
> the hosting frame)

Relying on an obvious security flaw for functionality is not exactly
planning on the future :)

Having a frame in a page be able to read cookies from the domain in which
the frame is situated is a nasty thing. Someone could inject a frame into a
site's HTML somehow, and have that frame bring up a page on a second server,
and that'll give the second server access to the cookies of the first
server, on that page. Nasty stuff.

>
>
> "Gordon Burditt" <gordonb.ag0mk@burditt.org> wrote in message
> news:1244t1u3ue2pl1c@corp.supernews.com...
>> >I have a feature that is hosted on a different domain from the primary
>> >one
>>>in a frame, and need to retain values in a cookie.
>>>
>>>example: A web page at one.com contains a frame which has a page hosted
>>>at
>>>two.com
>>>
>>>If I view the frameset from one.com in Firefox, all works well with the
>>>content from two.com. But if trying to view this using IE (with standard
>>>security settings), the cookie set by two.com is not accessible.
>>>
>>>Have been tinkering with the domain setting in the setcookie function to
>>>specify the domain: have tried one.com and two.com, but have not been
>>>able
>>>to get at the cookie value.
>>>
>>>How can I get this to work?
>>
>> Hopefully you can't on any browser. Cookies from one domain aren't
>> supposed to be sent to another. For many, many, uses of cookies,
>> it's a BIG security hole (you're handing credentials to log into one
>> web site to another web site, which makes session hijacking easy).
>>
>> Gordon L. Burditt
>
>

[Back to original message]