Cross domain cookies

bear picture bear · Jul 5, 2009 · Viewed 53.3k times · Source

I have a small problem.

How do I set a cookie for multiple domains?

I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.

ie.

account.domain.com will need to set domain logged in for:

domain.com, domain1.com, domain2.com.

Is there any easy way, using PHP and cookies, or any alternatives?

Answer

Andrew Strong picture Andrew Strong · Jul 8, 2009

There is absolutely no way for domain.com to set a cookie for domain1.com. What you are attempting to do can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.

Then you need a way for each domain to verify the user's identity. There are two approaches to this:

  1. Back channel - the sites contact each other directly to determine if a user is logged in.
  2. Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.

It's really quite complicated. I suggest you don't roll your own. Take a look at SimpleSAMLPHP for a PHP implementation of what I'm describing.