Posted by Bruno on 04/16/06 23:19

Agreed - A cookie on two.com should not be accessible by one.com.

I want the cookie on two.com to be accessible by two.com inside a frame
originating on a page at one.com.

But, when the two.com page sets a cookie, and chains another page in two.com
(within the frameset defined at one.com) the cookie values are not
accessible under IE as they are for all other browsers.

Now, if I go into the IE privacy setting, click 'override cookie handling',
and ensure 'always allow third party cookies' is checked the application
will work in a frame, otherwise it will only work under IE if it is in a
separate browser window (i.e. being the 'primary' site)

I'm just not happy about having to give instructions to the masses telling
them to adjust their cookie settings under IE. And as far as I'm concerned,
site two.com using a site two.com cookie should not be an unrealistic
thing...


"Gordon Burditt" <gordonb.mm6lu@burditt.org> wrote in message
news:124561l2co7lm87@corp.supernews.com...
> >Yes, but it does actually work on any browser I have seen aside from IE
>>(including Netscape, Firefox Win, Firefox Linux, Safari Mac).
>>
>>The page in the frame does have a domain associated with it, shouldn't the
>>cookie be available to that domain? (But not necessarily to the domain of
>>the hosting frame)
>
> A cookie set by domain A should never be sent to a server not in
> domain A.
>
>>> >I have a feature that is hosted on a different domain from the primary
>>> >one
>>>>in a frame, and need to retain values in a cookie.
>>>>
>>>>example: A web page at one.com contains a frame which has a page hosted
>>>>at
>>>>two.com
>>>>
>>>>If I view the frameset from one.com in Firefox, all works well with the
>>>>content from two.com. But if trying to view this using IE (with standard
>>>>security settings), the cookie set by two.com is not accessible.
>
> Ok, perhaps I misunderstood you. The cookie set by two.com is not
> accessible *ON WHICH SERVER*? I assumed you meant it wasn't
> accessible by pages on one.com. And it shouldn't be.
>
>>>>Have been tinkering with the domain setting in the setcookie function to
>>>>specify the domain: have tried one.com and two.com, but have not been
>>>>able
>>>>to get at the cookie value.
>
> Get at the cookie value *ON WHICH SERVER*?
>
>>>>
>>>>How can I get this to work?
>>>
>>> Hopefully you can't on any browser. Cookies from one domain aren't
>>> supposed to be sent to another. For many, many, uses of cookies,
>>> it's a BIG security hole (you're handing credentials to log into one
>>> web site to another web site, which makes session hijacking easy).
>>>
>>> Gordon L. Burditt
>
> Gordon L. Burditt

[Back to original message]