Cookies can only be read by the domain that created them.
It will only be a problem if you have people visit the same page using both domains. As long as they only access either one domain or the other they will not need a second cookie.
Well, they would. For some reasons, I sometimes want to send the user from domain.de to domain.com. He still should be recognized correctly. (-> no new login).
OK, maybe I have to get a little more specific.
My CMS is in German and English, but I want to strictly separate them by tld.
Some reasons are:
1.) Better tracking of different user groups for different languages.
2.) SEO - for search engines these are two different sites, and the clients come form different locations.)
3.) Easier for ad marketing
So in my case a user, that is for example is already logged in might want to change the language. (Would usually occur for German users, that found the English content first).
So how could I transfer the already set cookie safely from one to the other domain?
You could possibly pass a token in the querystring on the end of the URL when going from one domain to the other. That could then be used to establish the same info in a cookie on that domain.
That’s a bit of a simplified example. You would need some sort of authentication in there too.
Perhaps set up a table in your database that holds a cookie name and value pair that relates to a randomly generated code.
This code would be generated on login and only valid for one use for each domain. When the appropriate code is accessed, the relevant cooke is set for that domain. Once it has been set once, that authorisation code cannot be reused on that domain.
You are absolutely right. I was thinking more in terms of hijacking someones account.
The evil person would need to know the exact image url, have the same IP, same Bowser and would have to do so in 5 minutes. This is especially with our costumers most unlikely.
After first download of the image the db file could, or should be deleted anyway.
The unique image ID with a db connection, with short time information, has the benefit, that a spidered image url would have no use.
Finally we are not handling very sensitive information nor money transactions…
The answer to the original question was “no, you can’t”. We are trying to find ways around this.
I don’t even know that you would need to do this.
It depends on what you are using this for. How is somebody going to get access to the secure auth code to set the cookie? They could look at the source of the page, but by then the code would already have been used so it’s useless.
And if they can intercept the code before it has been used then they would probably be able to intercept your username and password anyway (or whatever it is you are trying to protect).
If you can let us know what you are trying to achieve maybe somebody can give you some more specific ideas on what you should do.
I’m not being obstructive, I’m trying to lead the conversation a little. I was concerned the OP was going to implement a poor solution.
Excellent! Finally. I was hoping the OP would elaborate without prompting though.
If the end result is to merely store a preference (colour scheme, for example), then the implementation could change drastically to say viewing account details.
For me, it’s the fact this security hole/vulnerability exists and is possible - not that it’s hard to do.