Cross domain cookie - one tricky question

Related news

April 3, 2008

Hi there readers. Lately I was working on a project that was supposed to be a website working on many domains.  The website was one that ofered membership levels to users, different facilities per user group etc… The fact is users hat to login and keep the session active while getting from one domain to another. For logins sessions I used cookies but that is not really important. In fact any method used gets to the same COOKIE, and the problem is still same: how to send cookies across domains.

Why is this a huge problem?

Well  the thing is pretty simple: security reasons to not permit reading/writing of cookies from one domain to another. So if we have domain a.com and b.com, while accessing a.com we won’t be able to access any of b.com’s cookies. If this restriction wouldn’t be active, would be so a big hole into security.

 So what can we do though to have cross domain cookies?

Google-ing a lot and reading other opinions I got a final working version of it. The idea is based on a set of redirects between the domain cookies are on(user is logged in there) and the domain where we want to have same cookies set ( domain where we would like to login the user, without asking again for an user/password. Let’s denote by a.com the domain that contains the cookie and b.com the domain we need the cookies on.

The whole process works in some steps:

  1. First from domain b.com we do a request to domain a.com;
  2. On this request, on a.com we respond by building a http GET/POST to domain b.com  sending there the needed cookies as HTTP GET/POST parameters (pairs name/value).
  3. on domain b.com, as a response to request from domain a.com we take each POST/GET parameters and send them as cookies to the browser.
  4. This step is optional, but if into the previous steps we used GET as the HTTP method of requests, than this needs to be done in order to avoid security holes. Why is that? Well in step 3 we sent a GET request to b.com. So we are on b.com?some_query string. That query string has the needed cookies so that when accessing that url, it’ll automatically login user on domain b.com( the desired effect). Now, if on domain b.com there is an external link, user clicks on it, after being redirected from a.com. On that external link’s webserver, into the logs, will be stored the refferal, which is exactly our URL containing the COOKIES needed to automatically login. Someone may see those logs and login without being authorized.
    So what’s about this step. Pretty simple:  we do another redirect to domain b.com, stripping the COOKIES into the GET string. That way we are secure. 

That should be all.  this is the main mechanism that I got implemented and working. I’ll come back in another post looking a practical way of doing it. Any comments are welcome. If you discover any security holes or you think something is wrong, please leave your feedback.

 

Post a comment

Name (required)

Mail (will not be published) (required)

Website

*
To prove you're a person (not a spam script), type the security text shown in the picture. Click here to regenerate some new text.
Click to hear an audio file of the anti-spam word