获取cookie时如何重定向页面两次

Question

Firstly, I know this nearly impossible because someone can steal cookie if this possible. But because I am still doubtful around 1%, so I think I need to ask the community, so I can completely know if this still possible or completely impossible.

Let's say I have mysite.com/promotion which is permalink for shop.org/aff.php?id=123 . Id 123 is my affiliate ID. After visitor click that link, the visitor will redirected to shop.com/index.php (homepage). Then shop.com will command the visitor browser to save my affiliate cookie. Note : I have access for mysite.org but I don't have any access for shop.com.

The problem with this behaviour is that I only can promote the overall whole things about shop.org, but I cannot promote his specific product link . Because when I give the visitor a product link, I will not have any commission because the guest never access my affiliate url. But when I give him my affiliate url, he will need to find out where the product link is.

Now I will give some demo code to illustrate this.

shop.org/index.php

<?php session_start()?>
<h1>shop.com HOME PAGE</h1>
    <div>cookie affiliate: <span>EMPTY</span></div><br>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.1/js.cookie.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"  ></script>
<script type="text/javascript">
    $(function(){
        <?php if(isset($_SESSION['aff'])):?>
        Cookies.set('aff', '<?=$_SESSION['aff']?>');
        <?php endif;?>
        var aff = Cookies.get('aff');
        if(aff!==undefined){
            $('span').text(aff);
        }
        
    })
</script>

shop.org/aff.php?id=123

<?php session_start();
$_SESSION['aff'] = $_GET['id'];
header('Location:https://shop.org/index.php');

shop.org/product.php

<?php session_start();?>
<p>shop.com PRODUCT PAGE</div>
<div>cookie affiliate: <span>EMPTY</span></div><br>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-cookie/2.2.1/js.cookie.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"  ></script>
<script type="text/javascript">
    $(function(){
        <?php if(isset($_SESSION['aff'])):?>
        Cookies.set('aff', '<?=$_SESSION['aff']?>');
        <?php endif;?>
        var aff = Cookies.get('aff');
        if(aff!==undefined){
            $('span').text(aff);
        }
        
    })
</script>

Try 1: hidden iframe then redirect with js / html meta

mysite.org/promotion

<!DOCTYPE html>
<html>
<head>
    <title>INI REDIRECT</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="refresh" content="5;URL=https://shop.org/product.php" />
</head>
<body>
    <iframe src="https://shop.org/aff.php?id=123" width="0" height="0" tabindex="-1" title="empty" style="display:none;"></iframe>
    <div>You will be redirect in 5 seconds</div>
</body>
</html>

Visitor will fail to get my affiliate cookie because he get warned : A cookie associated with a cross-site resource at https://shop.org/ was set without the 'SameSite' attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with 'SameSite=None' and 'Secure'. A cookie associated with a cross-site resource at https://shop.org/ was set without the 'SameSite' attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with 'SameSite=None' and 'Secure'.

Try 2: jQuery load

<!DOCTYPE html>
<html>
<head>
    <title>INI REDIRECT</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="refresh" content="5;URL=https://shop.org/product.php" />
</head>
<body>
    <iframe src="https://shop.org/aff.php?id=123" width="0" height="0" tabindex="-1" title="empty" style="display:none;"></iframe>
    <div>You will be redirect in 5 seconds</div>
    <div id="msgDiv"></div>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"  ></script>
    <script>
        $(function(){
             $('#msgDiv').load('https://shop.org/aff.php?id=123');
         });
    </script>
</body>
</html>

this will fail too, because CORS policy. Remember I don't have any access to shop.org, so I can't enable this.

Try 3: scraping the cookies then give visitor that cookies

I have not given code here, because I know this will fail too. The reason is we cannot give cross domain cookie to the browser.

My question is, is this completely impossible or still possible?

Note : if only 1 site, I just need to email them to fulfill my needs. But, shop.org is only 1 example of the most common affiliate system. So this question is only focusing without any change at server. Yes, impossible, but I just have a little doubt here.

Answer 1

I think it's nearly impossible, because the CORS-Policy is exactly to block this cases. You can do something like this only if the other site allows this with a specific HTTP-Header.

You can try <img src="https://shop.org/aff.php?id=123" style="height: 0; width: 0;"> , but i think the result would be the same to the iframe.

Other method:

Maybe the shop-page offers this method, for example with a GET-Attribute:

shop.com/aff.php?id=123&url=/product/myproduct/

or

shop.com/product/myproduct/?aff=123