[thelist] Cross-Domain cookies
Jeff Howden
jeff at jeffhowden.com
Tue Jun 24 02:17:36 CDT 2003
john,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: John Handelaar
>
> > sorry, but security restrictions will never allow this
> > to happen. imagine the possibilities if
> > barnesandnoble.com could read your amazon.com cookie
> > or aol.com could read your microsoft.com cookie.
>
> Grabbing the GUID portion of that cookie from Microsoft
> is relatively simple, and it's how MS itself
> deliberately subverts the 'no cross-domain cookies'
> rule.
>
> <http://www.newmediawhore.com/article.php?story=20010518172000930>
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
sorry, but there's nothing terribly revolutionary, subversive, underhanded,
draconian, or even unique about what microsoft is doing. it's a simple
means of sharing a unique identifier with sibling sites that happen to be
under different domains (as is the case with msn.com and msn.fr). i'll
agree, it's a shame they've not tightened it down to include checking the
redirect domain before appending the newguid name/value pair to make sure
they're not sharing it with an unauthorized party. however, it's hardly
something worthy of all the fuss.
heck, i implemented something just as "evil" on a client project where they
have 5 completely unique domain names and needed to be able to maintain both
persistent logins and shopping cart across them all. guess i'm no better
than microsoft then.
;p
oh, and aol.com still *can't* read cookies set by microsoft.com, msn.com, or
any other domain, for that matter. the only thing they can get is a
basically useless (to anyone but msn) guid.
respectfully,
.jeff
------------------------------------------------------
Jeff Howden - Web Application Specialist
Resume - http://jeffhowden.com/about/resume/
Code Library - http://evolt.jeffhowden.com/jeff/code/
More information about the thelist
mailing list