Share cookies with other domains

Question

I know that it's possible to allow other domains to read our domain cookie as long as they're sub domains of the same parent domain.

For example, intranet.abc.com and extranet.abc.com can allow cookies to be read by each other by specifying the domain property to .abc.com

Now, I'm really in need that I can allow other domains to read my domain cookie (they are not sub domains of the same domain). I have searched a lot of discussions on the internet => all say "NO" due to security issues . I'm not sure if I missed a solution out there because I don't see any security issues in this case. My server clearly ALLOWS this cookie to be read by an XYZ.COM domain because the cookie does not contain any sensitive information and XYZ.COM domain is my trusted domain,

In my opinion, there should be a way to specify a list of other domains that are allowed to read a particular cookie in our domain , just like CORS, the server can decide if the information should be available to some trusted domains.

Please tell me if it's possible without using a workaround and if so, how to do it? If it's not possible, I really would like to know why.

Some information about what I'm implementing:

I'm implementing a file download and on client side I need to detect whether the download is complete by periodically checking for a download token in the cookie using an interval in javascript.

The logic of the current system I'm working on at the moment may store the files in 2 different servers. If the file is missing in the current server, it will download file in another server (another domain)

Thank you very much.

Answer 1

You can read off-domain cookies by opening an iframe to specially instrumented page on the other domain and using the window.postMessage API to communicate between windows. HTML5 only, obviously.

Simplifying the postMessage API somewhat for brevity, consult MDN developer pages for full details. https://developer.mozilla.org/en-US/docs/Web/API/Window.postMessage

<iframe id="ifrm" src="http://other.domain.com/getCookie.html"></iframe>
<script>
    var iframe = document.getElementById('ifrm');

    window.addEventListener('message', function (e) {
         if (e.source === iframe.contentWindow && e.origin === 'other.domain.com') {
             var cookie = e.data;
            //do something with cookie
         }

     }); 
    //wait for the iframe to load...maybe ping it first...then
    iframe.contentWindow.postMessage('give me the cookie:cookie name', 'other.domain.com');
</script>

    /* in getCookie.html */

<script>
    window.addEventListener('message', function (e) {
        if (e.origin === 'your.domain.com') {
             var soughtCookie = /give me the cookie\:(.*)/.exec(e.data)[1];
             // read the cookie
             var cookie = getCookieFn(soughtCookie)
             e.source.postMessage(cookie.toString(), 'your.domain.com');
        }
    }, false);
</script>

Answer 2

you could have a backend web service which shares the contents of the cookie with the 3rd party, but then your server would have to hold the cookie value in session and have a session id that is some how shared with the other website.

Can also special page and redirection so that the cookie value is read and passed to your domain as a form submit.

Lets say your domain is yours.com and on page yours.com/page1 you set some cookie value.

Now xyz.com , another domain wants that value. xyz.com/somePage, redirects to yours.com/spl (along with parameter of the page to send user to say xyz.com/somePage2), Now yours.com/spl gets the cookie via JavaScript and then redirects to xyz.com/somePage2 passing the cookie value as a POST or a GET parameter.

Full working sample at http://sel2in.com/pages/prog/html/acrossSites/make.php (with a simple web service)

AJAX not example wont work but can do it with iframes.

Code :

coki.js (goes on the first site that wants to expose cookies)

function setCookie(cname,cvalue, daysExpire)
{
var d = new Date();
d.setTime(d.getTime()+(daysExpire * 24 * 60 * 60 * 1000));
var expires = "expires=" + d.toGMTString();
document.cookie = cname + "=" + cvalue + "; " + expires + " ; path=/ ;"
}

function getCookie(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i=0; i<ca.length; i++)
  {
  var c = ca[i].trim();
  if (c.indexOf(name)==0) return c.substring(name.length,c.length);
  }
return "";
}

wsa.php (goes on site 1). To make it more secure can check the calling page/ container URL and use a dynamic secret key.

<html>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<?php

error_reporting(E_WARNING);
$d = $_REQUEST['s'];
if($d != "secret565"){
    echo "Bad secret bye";
    return;
}

$n = $_REQUEST['n'];
if($n == ""){
    echo "No cookie name, bye";
    return;
}



?>

<script src=coki.js>
</script>
<script >


    n = '<?php echo "$n"?>'
    v = getCookie(n)
    //alert("For " + n + ", got :" + v + ".")
    window.parent.gotVal(n, v)



</script>

getc.html

Goes on site 2, gets the value of cookie C1 or other cookie from site 1 via wsa.php, using an iframe. wsa.php reads the secret auth key and cookie name from its parameters, then calls a javascript function in containing page to pass back values

    <form name=f1 action=ws.php method=post>
<h1>Get cookie from Javascript sample </h1>
http://sel2in.com/pages/prog/html/acrossSites/
<table>

<tr><td>Url from <td/><td> <input name=u1  value='wsa.php' size=100><td/></tr>

<tr><td>Cookie Name <td/><td> <input name=n  value='C1'><td/></tr>

<tr><td>Secret <td/><td> <input name=s value='secret565'><td/></tr>


<tr><td><input type=button value='Go' onclick='s1do()' > <td/><td><td/></tr>

</table>


</form>

<div id = result>result here</div>

<div id = cc1>container</div>


v 2 c
<script>
function gotVal(n, v){
    document.getElementById("result").innerHTML = "For " + n + ", got :" + v + "."
}

function s1do(){
    document.getElementById("cc1").innerHTML = ""
    n1 = document.f1.n.value
    s1 = document.f1.s.value
    url = document.f1.u1.value
    qry = "s=" + escape(s1) + "&n=" + escape(n1)
    s = "<iframe border=0 height =1 width=1 src=\"" + url + "?" + qry + "\" ></iframe>"
    document.getElementById("cc1").innerHTML = s
}

</script>