Geek Answers Handbook

Share a cookie between two websites

I created a site (A) that logs in and retrieves customer data from a separate web service.

The organization that owns (A) also has a website (B) that has a web form. They want the logged-in client (A) to click on the link (B) and view the pre-filled form with their details.

This means that (A) must write its customer ID to a cookie, which (B) can read, and then (B) can request data from the web service and pre-fill the form.

This raises two questions:

  • Can website (B) read cookie for website (A)?

  • If this is so that someone does not edit the cookie and does not see other people's data in the form, I need to do something like encrypt the cookie (A) and then decrypt it in (B) - any suggestions on this line?

I cannot change my existing login to OAuth or anything else, since the web service is consumed by several other sites, so this cannot change.

+22
cookies
source share
7 answers

Not. Website B cannot read cookies from Website A.

The easiest way is to transfer the login / access information from website A to website B and create website B for a separate cookie. For example, after entering website A, you could quickly redirect them to website B with an encrypted request. Website B could then read the information, set its own cookie, and redirect the user back to Website A.

This is random, but possible.

+18
source share

You mentioned that the same company owns both sites. As you suspected, if sites have the same domain as www.mycompany.com and store.mycompany.com, they may share cookies. The HTTP response header will look something like this:

Set-Cookie: user_id=1295214458; Path=/; Domain=.mycompany.com

Since the client has direct access to this data, you must also include a signature in order to detect unauthorized interference. Usually all of this is encrypted and signed into a β€œtoken”, and this is set as a cookie. But technically, only a signature is required.

+14
source share

If in your case all your users use HTML5-enabled browsers, you can use the window.postMessage method which allows addEventListener on the one hand and postMessage on the other. Here is a good article / example: https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage .

Then the steps are simple:

  1. add a hidden frame to site B to site A
  2. send cookies B to A using window.postMessage
  3. save the received cookie in a cookie
+5
source share

Cookies are only available for the one domain for which they are set.

I believe that if you use two subdomains in the same domain, you can share cookies, but the browser does not send cookies set in the same domain to third parties.

Edit: You also want to avoid storing large amounts of data in a cookie. Is it possible that you could create an api on which site B could request using javascript?

+2
source share

There are open source tools on the Internet that can do this, but this contradicts the idea of ​​a cookie philosophy. Cookies are designed to access only one domain. However, you can make fun of this domain and "Hack" in the browser. This is not recommended, and some browsers have more stringent protection and do not allow this.

I suggest you create a web service on website A and provide read access to B to read it.

0
source share

Potential work: you can use the built-in frame on the secondary site to display content from the main site (occupying the full window):

 <!DOCTYPE HTML> <html> <head> <title>your page title</title> <style type="text/css"> body, html { margin: 0; padding: 0; height: 100%; overflow: hidden; } #content { position:absolute; left: 0; right: 0; bottom: 0; top: 0px; } </style> </head> <body> <div id="content"> <iframe width="100%" height="100%" frameborder="0" src="http://yourMainSite.com/dataDependentPage.php" ></iframe> TESTING </div> </body> </html>
0
source share

The HttpCookie.Domain property can help.

Exposure:

 MyCookie.Domain = domainName;
0
source share

More articles:


All Articles