Share cookies between two domains?

[wza]

I've got two websites running on both different domains. For trafficmeasurement purposes i'd like to know how many visitors have visited each site, but also how many visitors been on BOTH sites. For that I think I need to be able to read one domain's cookies from the other domain. I know it's not possible to read from another domain, but is it possible to issue cookies so both domains can share em maybe?

Thnx

[logic_earth]

Nope it currently is not possible. Any browser with at least basic security will not allows another site on a different domain see or even use the cookie from another. However the way to get around that is to use an IP address instead of a domain name but that is not such a good idea.

[felgall]

The only way to do it is to have one of the domains load an iframe containing something from the other domain to set a third party cookie from there. It will then create a shared cookie for the one or two people who have yet to disable third party cookies in their browser.

[ServerStorm]

One technique that is used for load balancing could be used in your scenario: After a user logs in on domain A, verify their log-in, create and store a PHP session cookie in a shared database between the two sites - the 'session' database could only be used to store sessions and the two domains could you separate or no databases.

When the user navigates to domain B - query the stored session in the database and then verify it using the same logic as domain A. In fact the user would not have to log-in to domain B as you would carry over the session. Then just track their whereabouts as you normally do.

Of course I'm am referring to session cookies instead of client side cookies.

ServerStorm

[wza]

One technique that is used for load balancing could be used in your scenario: After a user logs in on domain A, verify their log-in, create and store a PHP session cookie in a shared database between the two sites - the 'session' database could only be used to store sessions and the two domains could you separate or no databases.

When the user navigates to domain B - query the stored session in the database and then verify it using the same logic as domain A. In fact the user would not have to log-in to domain B as you would carry over the session. Then just track their whereabouts as you normally do.

Of course I'm am referring to session cookies instead of client side cookies.

ServerStorm

I'm not getting this, how could i possibly verify a visitor on either one of the domains without the use of clientside cookies? (I guess I could use visitors IP's, but for measurement that's not going to be very accurate). If you are assuming visitors have logins, that's not correct. These are two public websites, not necessarily linked with eachother.

[ServerStorm]

Hi WZA,

If you are not using log-ins then another method does require a client side cookie and it goes like this:

• create a unique browser identifier by using a cookie to assign a differentiating visitor identifier - like MAC address for an ethernet card.
• The very first time that the application's URL is requested by a browser, intercepting php code calculates a long (like a MD5) random string - the browser identifier - and assigns it to a permanent cookie in the browser. Set the cookie to expire several years in the future.
• The intercepting php code also places this the browser identifier, otherwise known as a token, into the newly created PHP session to signify its originator. On all subsequent requests for that session identifier, the value in the cookie is compared to the originator token in the session.
• This is where centralizing the php session management in a database would be a good thing. You could write the php token code into the central database.
• When users enter either public site, the application first checks for the persistent cookie, if it exists then it loads the stored session in the db. This session can now be tracked by whatever mechanism you may have in place to read the session on page visits.

You are right that IPs have limitations as many environments share a gateway ip or have a pool of DHCP allocated IPs, which makes it impossible to track a single user.

Hope this helps,
ServerStorm

[G.Schuster]

Well, ServerStorm - you still have the problem that the cookie can only be rad by the domain that set it.
For domain B you will hav a newly created cookie with a new magic identifier.

[ServerStorm]

Hi G.Schuster,

Whoops! When I was thinking through this I forgot about the cookie domain lock therefore without a log-in (where the client cookies could be eliminated) and a shared PHP session could be used in site A and B then this approach will not work.

Sorry

ServerStorm

[REMIYA]

The only way to do it is to have one of the domains load an iframe containing something from the other domain to set a third party cookie from there. It will then create a shared cookie for the one or two people who have yet to disable third party cookies in their browser.

Yes. You can use iframe from 1st site, that will check cookie and return XML, or javascript response, that you can read from your 2nd site.