0

I have a cookie problem

I want to reduce the entropy in the cookies management across the multiple sites of my application, and I cannot manage to do it.

I have a public application made of multiple subdomains and even different domains. All interop together and are deployed as independent microservices running inside independent dockers with independent sessions.

I don't think it matters, but just for information, the application is mainly done with PHP and Symfony 3, 4 and 5 depending on the microservice. To store the cookies in the browser I use the mechanisms that Symfony provides.

Imagine the sites for example to be:

  • www.example.com ➜ The catalog in Spanish
  • www.example.it ➜ The catalog in Italian
  • checkout.example-world.com ➜ To purchase
  • go.example-world.com ➜ For affiliate programmes + redirecting users from site to site and centralize the cookies.
  • members.example.com ➜ Members area for Spanish users
  • members.example.it ➜ Members area for Italian users

Trouble

Each site stores it's own set of cookies. I have a considerable backend work to synchronize all the cookies to know who is who in each place.

For example

  1. If they load the catalog arriving via google SEO, it silently loads a pixel image "from the go domain" with a token so I can bind the "catalog cookie" and the "go cookie".
    1. Ie: The browser queries www.example.com and the catalog server stores the cookie (name it catalog-cookie) sent to the browser plus a specific token representing this page-load.
    2. The browser renders the catalog page and then requires the images, one of them is loaded from go.example-world.com carrying the token in the query string (image.png?pageToken=4444) and the go server stores the cookie (name it the go-cookie) sent to the browser plus the received token.
    3. A long-running background process reads all the rows in the log tables, finds the same pageToken here and there and binds the catalog-cookie with the go-cookie.
  2. If the same person then receives an email to pay, say it does not get a link to the checkout, but a link to the "go" so it redirects to the checkout passing another "token" so I can link "go cookies" and "checkout cookies".
    1. The browser goes to a dynamically generated link in the go-system here go.example-world.com and sends-back the cookie we set in go when visiting the catalog and the server stores the cookie plus a new redirection token. Sends an HTTP 302 to the checkout passing the token as a parameter.
    2. The browser loads the checkout from here: checkout.example-world.com and the checkout server stores the redirection token along with the checkout cookie.
    3. Another long-runnning bacground process similar to the other one matches this token and links the "go-cookie" with the "checkout cookie".

At this moment I can bind the checkout and the catalog and for example I can remove from the catalog suggestions of the product he already purchased. Note that there's no "login system" and the used did not create an account for this process.

I would love to have a single set of cookies for all my sites. But the most I manage to do is to have a single set of cookies for "each" domain or subdomain.

How the hell do they do it?

Nevertheless, when I see my logs, where I store all the HTTP headers for each request, I usually see a large set of cookies that arrive my server BUT are not set by me. For example:

enter image description here

My question is

If they (Google, Youtube, Stripe, etc.) can set cookies that arrive to my server, then I should be able to do so from my other sites. But how could I send my own cookies from the other sites to myself on the other domains to simplify my tracking? I don't know what to send from the server to the browser.

Currently my cookies *_a *_b and *_c that you see in the image are a 5-years-long, a 30 minutes long and a session-long ones.

If a person already visited my catalog coming from an affiliate and the catalog loaded the photos from some CDN, I would like to receive in the checkout for example this set:

catalog_a catalog_b catalog_c affiliate_a affiliate_b affiliate_c photos_a photos_b photos_c and then I respond with "add checkout_a checkout_b checkout_c" and a new visit to the catalog to carry the full set back to it including the previous ones, plus the new 3 set from the catalog.

But the most I manage to do is that every domain sees their ones.

How can it be done?

Xavi Montero
  • 9,239
  • 7
  • 57
  • 79
  • Does this answer your question? [Cross-Domain Cookies](https://stackoverflow.com/questions/3342140/cross-domain-cookies) – Andrea Olivato Mar 12 '22 at 01:01
  • What you're looking for are cross-domain cookies. You can read above for more info. To clarify further, what Google/Stripe/etc do is not cross-domain cookies they simply set cookies via a JS hosted on their domain, and those cookies can not be accessed by your app. They are linked to their domains and only their domains can read them. What you want instead is that cookies are shared, readable and writable from different domains, totally different. – Andrea Olivato Mar 12 '22 at 01:03
  • "and those cookies can not be accessed by your app." => Indeed, they can. The screenshot is my server-side. So I do see the cookies from Google/Stripe in my backend and in my app. The screenshot is not frontend. It is backend. Can "their javascript hosted in their domain" write cookies in the browser that are later sent by the browser to "my site" on a new page-load? – Xavi Montero Mar 12 '22 at 01:16

0 Answers0