Re: [PHP] Setting cookies for other domains
On Friday 18 March 2005 10:32, Brian Dunning wrote: I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? When you display a webpage it very often pulls in a load of crap from other websites (eg banner ads). These other websites are able set their own cookies (for their particular domains). The browser prefs are for preventing these 3rd party websites from setting these 3rd party cookies. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
on 3/17/05 6:32 PM, Brian Dunning at [EMAIL PROTECTED] wrote: I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? I'm thinking it must be possible, and that there's a reason for the domain option in setcookie() other than subdomains. Would just love to know how to make it work... The domain option exists in scripting implementations solely for the purpose of sub domains. It is not there to imply you can use it for more than one domain, but to allow you to secure your sub domains. If you set a cookie for .example.com then test.example.com and *.example.com etc will be able to read it. This is not always what you want, in some cases, you may have intranet.example.com and www.example.com and you would not want to set the domain parameter to .example.com as that would allow one to read your intranet cookies. You will simply never make it work, it is designed to never allow this. There has been one security issue I can think of to date that allowed it, but it was patched promptly. The day someone figured out how to set a cookie for amazon.com and read it while under some other domain is the day all the news sites will be covering that topic. Cross domain cookies are indeed possible, look at microsoft.com, msn.com and msnbc.com which indeed do share your cookies from one site to the next, however, they do it by redirects and get/post methods, which is perfectly legit since they control those domains. No one outside someone with access to those servers could implement it. You are misinterpreting the prefs in browsers, they can not do what you ask. -- - Scott HanedaTel: 415.898.2602 http://www.newgeo.com Novato, CA U.S.A. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
You are misinterpreting the prefs in browsers, they can not do what you ask. That's fine, I'm perfectly willing to accept this - but can someone explain what the pref IS for? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
on 3/18/05 5:47 AM, Brian Dunning at [EMAIL PROTECTED] wrote: You are misinterpreting the prefs in browsers, they can not do what you ask. That's fine, I'm perfectly willing to accept this - but can someone explain what the pref IS for? you have not said which browser and what pref you are referring to. -- - Scott HanedaTel: 415.898.2602 http://www.newgeo.com Novato, CA U.S.A. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Setting cookies for other domains
I've always known that you can specify a domain when you set a cookie, and for kicks I experimented with a test page setting a cookie for the yahoo.com. Seems to me that browsers wouldn't allow this as it could create any number of security problems. I tried the following code, and the yahoo cookie did not get set, as I expected, and the briandunning.com cookie did (that's my site). I made sure that my browser's settings were set to allow all cookies, including those from other sites. ?php setcookie('test', 'anything', time()+31536000, '/', '.yahoo.com'); setcookie('test', 'anything', time()+31536000, '/', '.briandunning.com'); ? Question: why didn't this work, is it supposed to work the way I was trying, and if not, then what is that domain variable there for??? - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Setting cookies for other domains
Brian Dunning mailto:[EMAIL PROTECTED] on Thursday, March 17, 2005 4:45 PM said: Question: why didn't this work, is it supposed to work the way I was trying, and if not, then what is that domain variable there for??? Answer: Seems to me that browsers wouldn't allow this as it could create any number of security problems. Nonetheless, I've never really used the domain option but I suspect it's for sub-domains of sites you administer and not completely different domains altogether. Read here: http://wp.netscape.com/newsref/std/cookie_spec.html HTH, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
Brian Dunning wrote: I've always known that you can specify a domain when you set a cookie, and for kicks I experimented with a test page setting a cookie for the yahoo.com. Seems to me that browsers wouldn't allow this as it could create any number of security problems. This is why the specification mentions, Only hosts within the specified domain can set a cookie for a domain. Question: why didn't this work, is it supposed to work the way I was trying, and if not, then what is that domain variable there for? It allows you to specify the domain for which the cookie is valid. When a browser makes a request, it checks for cookies to be included in the Cookie header. Only those that meet the requirements (domain, path, expiry, etc.) are included. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? I'm thinking it must be possible, and that there's a reason for the domain option in setcookie() other than subdomains. Would just love to know how to make it work... - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php