[thelist] Cross-Domain cookies

[Jeff Howden]

john,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: John Handelaar
>
> > sorry, but security restrictions will never allow this
> > to happen.  imagine the possibilities if
> > barnesandnoble.com could read your amazon.com cookie
> > or aol.com could read your microsoft.com cookie.
>
> Grabbing the GUID portion of that cookie from Microsoft
> is relatively simple, and it's how MS itself
> deliberately subverts the 'no cross-domain cookies'
> rule.
>
> <http://www.newmediawhore.com/article.php?story=20010518172000930>
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

sorry, but there's nothing terribly revolutionary, subversive, underhanded,
draconian, or even unique about what microsoft is doing.  it's a simple
means of sharing a unique identifier with sibling sites that happen to be
under different domains (as is the case with msn.com and msn.fr).  i'll
agree, it's a shame they've not tightened it down to include checking the
redirect domain before appending the newguid name/value pair to make sure
they're not sharing it with an unauthorized party.  however, it's hardly
something worthy of all the fuss.

heck, i implemented something just as "evil" on a client project where they
have 5 completely unique domain names and needed to be able to maintain both
persistent logins and shopping cart across them all.  guess i'm no better
than microsoft then.

;p

oh, and aol.com still *can't* read cookies set by microsoft.com, msn.com, or
any other domain, for that matter.  the only thing they can get is a
basically useless (to anyone but msn) guid.

respectfully,

.jeff

------------------------------------------------------
Jeff Howden - Web Application Specialist
Resume - http://jeffhowden.com/about/resume/
Code Library - http://evolt.jeffhowden.com/jeff/code/