27

I have a small problem.

How do I set a cookie for multiple domains?

I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.

ie.

account.domain.com will need to set domain logged in for:

domain.com, domain1.com, domain2.com.

Is there any easy way, using PHP and cookies, or any alternatives?

Cloud
  • 1,004
  • 1
  • 18
  • 47
bear
  • 11,364
  • 26
  • 77
  • 129
  • Here's another post on stackoverflow that shows how facebook does it, and yes, it is possible with iframes and javascript. http://stackoverflow.com/questions/4701922/how-does-facebook-set-cross-domain-cookies-for-iframes-on-canvas-pages – inorganik Sep 02 '11 at 18:14
  • [HTTP State Management Mechanism RFC6265](http://tools.ietf.org/html/rfc6265) – hakre Jun 22 '12 at 11:46

4 Answers4

33

There is absolutely no way for domain.com to set a cookie for domain1.com. What you are attempting to do can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.

Then you need a way for each domain to verify the user's identity. There are two approaches to this:

  1. Back channel - the sites contact each other directly to determine if a user is logged in.
  2. Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.

It's really quite complicated. I suggest you don't roll your own. Take a look at SimpleSAMLPHP for a PHP implementation of what I'm describing.

Andrew Strong
  • 4,303
  • 2
  • 24
  • 26
  • Here is another way, get domain.com to connect with domain1.com and get token then pass that token in the header of JS calls or as a separate field then domain1.com should check that token and respond accordingly. Does that make sense? – Hafiz Apr 26 '16 at 15:31
6

What you're attempting can't be done. (It's a browser security issue, not a PHP one.)

Other than using some form of off-site authentication, the nearest you can achieve is making a cookie accessible across sub-domains, in which case you just use the optional 'domain' arg of PHP's set_cookie function.

John Parker
  • 54,048
  • 11
  • 129
  • 129
6

This can be done via one domain acting like a master and others like a slave.

Say we've got a domain accounts.domain.com and it's our master.

Then we've got our slaves domain.com, something.com and another.com

When you'll log on on domain.com, it'll be actually site accounts.domain.com, then you'll get a cookie with unique ID for your browser and then you'll be redirected to domain.com's post-logon landing page (ie. domain.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>). the landing page will contact the accounts.domain.com, querying it with the browser ID. If the transaction's okay, then you'll get logon cookie from domain.com.

Next, on every domain (domain.com, something.com and another.com) will be initial redirect to accounts.domain.com/roaming-check?return-url=<URL the redirect was initiated from>. Because we're returning home (we're logged already on accounts.domain.com), we'll be redirected again on our landing page (<domain name>.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>) and from this point it's the same as the part with logging on. We're seamlessly roamed to another domain (without user knowing it as browsers doesn't usually show the redirected page until it passed the headers send(server)/receive(browser) section).

In case there's in fact no active logon, the site will save this "negative logon" to session and not try to check logon anymore (until we try to logon or load another domain).

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
lmojzis
  • 551
  • 7
  • 17
4

I think this solution will suit your needs: "Simple Single Sign-On for PHP"

SamGoody
  • 13,758
  • 9
  • 81
  • 91
merkuro
  • 6,161
  • 2
  • 27
  • 29