Share a cookie between two websites

Question

I have built a website (A) which logs in to and retrieves customer data from a separate web service.

The organisation that owns (A) also has a website (B) which has a web form. They want a logged in customer on (A) to be able to click across to (B) and see a pre-populated form with their details.

This means (A) must write their customer ID to a cookie, which (B) can read, and then (B) can request the data from the web service, and pre-populate the form.

This raises two questions:

Can website (B) read the cookie for website (A)?
If so, to prevent someone from editing a cookie and seeing other people's data in the form, I would need to do something like encrypt the cookie on (A) and then have that decrypted in (B) - any suggestions along this line?

I can't change the existing login to OAuth or something, as the web service is consumed by several other sites, so this cannot change.

hey i know it has been a long time since then, but I'm in your exact situation, can you tell me how did you end up implementing it? i would really appreciate it. — Ebdulmomen1, Sep 19 '20 at 15:16

score 51 · Accepted Answer · answered Sep 11 '12 at 13:15

51

No. Website B can't read a cookie from website A.

The easiest work-around is to pass login/credential information from website A to website B and have website B set a seperate cookie. For example, after logging into website A you could have them quickly redirected to website B with an encrypted querystring. Website B could then read the information, set its own cookie, and redirect the user back to site A.

It's messy but possible.

answered Sep 11 '12 at 13:15

Chris Van Opstal

36,423
9
73
90

Thanks Chris. The problem is, there's no "user action" that indicates they want to move from A to B. They login to A, do some activity, then they might navigate to B at some point, not via a link on site A though. It might be possible to have the two sites on the same domain, as subdomains. Would that make it an possibility? – Sean Sep 11 '12 at 13:17
If after the login you can redirect the user quickly to website B, set the cookie there, and then redirect them back, they could visit website B at any time in the future (while the cookie persisted) and have that information available. – Chris Van Opstal Sep 11 '12 at 13:18
Sorry, I didn't see the double-redirect on first read. This gives me an option, thanks. – Sean Sep 11 '12 at 13:22
3

Hi . I saw facebook cookie in instagram . Seems like they can share cookie through different domain ? – Caal Saal VI Apr 17 '18 at 14:36
@Chris by this way, it's possible to identify users on specifics databases, then share informations between websites if I understand well – HoCo_ Aug 24 '18 at 14:01
Thanks for sharing this. I posted [this answer](https://stackoverflow.com/a/73599289/17865804) based on it – Chris Sep 07 '22 at 12:08
Hi @ChrisVanOpstal. I am facing an intermittent issue with the latest browsers. When a user logs into Website A, I call Website B's API (we enabled A as a CORS filter) which returns the cookies and sets them on Website B. So when the user switches to B they are already available on that site. But sometimes those cookies are not set correctly. Sometimes I could see them set on Website B and sometimes not. – Irus Nov 03 '22 at 18:14
<> Is there anything related to set-cookie properties like secure or path?? A sample one is how I am using to set cookies. Set-Cookie cookie1=2342sdfg234gfdg; domain=.website.B; path=/; secure; SameSite=None;SameSite=None;?Secure; secure – Irus Nov 03 '22 at 18:15

score 48 · Answer 2 · answered Sep 12 '12 at 18:48

48

You mentioned the same company owns both sites. As you suspected, if the sites have the same domain like www.mycompany.com and store.mycompany.com, then they can share cookies. The HTTP response header would look something like this:

Set-Cookie: user_id=1295214458; Path=/; Domain=.mycompany.com

Since the client has direct access to this data, you should also include a signature so tampering would be detected. Usually the whole thing is encrypted and signed into a "token", and that is set as the cookie. But technically, just the signature is required.

answered Sep 12 '12 at 18:48

Ted Bigham

4,237
1
26
31

Can the cookie be shared with two different domains like `.mycompany.com` and `.yourcompany.com` – PC. Feb 22 '23 at 06:51
2

Not using the Set-Cookie header described here. They must share the top level domain name. – Ted Bigham Feb 24 '23 at 00:27
Is there any way if they share the same IP address but are different virtual hosts ? – Lothar Apr 05 '23 at 02:33
@Lothar Not as far as I know. At this level, cookies don't really care about IP address, just domain. Although there may be some dirty trick with redirecting both to the IP address which redirects back where is came from and adds the cookie content as a URL query parameter or fragment. – Ted Bigham Apr 06 '23 at 14:46

score 18 · Answer 3 · answered Apr 08 '14 at 11:08

18

If in your case all your users use browsers with HTML5 support you can use window.postMessage method that allows to addEventListener on one side and to postMessage from the other. Here is a nice article/example: https://developer.mozilla.org/en-US/docs/Web/API/window.postMessage.

Then the steps are simple:

add to site A a hidden iframe to site B
send B's cookie to A using window.postMessage
store the received cookie in A's cookie

answered Apr 08 '14 at 11:08

Alexander

7,484
4
51
65

1

This is an interesting approach, thank you for posting it. I have recently implemented a [working solution](https://stackoverflow.com/a/73599289/17865804) based on this, for anyone that might be interested. – Chris Sep 11 '22 at 06:56

Samuel Parkinson · Answer 4 · 2012-09-11T13:26:44.780

2

Cookies are only accessible to a single domain that they are set to.

I believe if you are using two sub-domains on the same domain it would be possible to share the cookies, however the browser doesn't send cookies set on one domain to any others.

Edit: You also want to avoid storing large amounts of data in a cookie. Is there perhaps the chance you could create an api that site B could query with javascript?

edited Sep 11 '12 at 13:26

answered Sep 11 '12 at 13:20

Samuel Parkinson

2,992
1
27
38

score 1 · Answer 5 · answered Sep 11 '12 at 13:19

1

There are open source tools on the internet that can do that, but this s against the whole idea behind the cookies philosophy. Cookies are meant to be accessed by only one domain. You can however mock that domain and 'Hack' into the browser. It's not recommended and some browsers have tighter security and don't allow that.

I suggest you create a web service in website A and give reading access to B to read it.

answered Sep 11 '12 at 13:19

Frank Goortani

1,407
17
26

Hey @Frank Goortani, Could you please leave a link to those OpenSource tools? – Appaji Chintimi Dec 25 '20 at 13:27

score 1 · Answer 6 · edited Oct 17 '17 at 21:08

Potential work-around: You could use an inline frame on the secondary site to show content from the primary site (taking up the full window):

<!DOCTYPE HTML>
<html>  
  <head>  
       <title>your page title</title>  
        <style type="text/css">
            body, html {
            margin: 0; padding: 0; height: 100%; overflow: hidden;
            }
            #content {
            position:absolute; left: 0; right: 0; bottom: 0; top: 0px; 
            }
        </style>
  </head>  
  <body>
    <div id="content">
    <iframe width="100%" height="100%" frameborder="0" src="http://yourMainSite.com/dataDependentPage.php" ></iframe>
    TESTING
    </div>
  </body>  
 </html>

score 0 · Answer 7 · answered Apr 19 '19 at 02:37

0

HttpCookie.Domain Property might help.

Excerpt:

MyCookie.Domain = domainName;

answered Apr 19 '19 at 02:37

Imad

7,126
12
55
112

Share a cookie between two websites

7 Answers7

Linked