Sharing a cookie create on one domain with an addon domain

Question

I have a domain where I've set a cookie: myDomain.com

My problem is that I need to access that same cookie from my subdomain which is physically in the same server but separated as domain / addon domain.

So, I have myDomain.com = Main Domain

and myAdonDomain.com = Addon Domain

Is there anyway to have a cookie shared by both?

Answer 1

yea as long as you know how to access it... you can access it from anywhere. Facebook and various advert services use such cookies to track you and your behaviour to target adverts specifically tailed for you

read

Answer 2

No, its not possible, Browsers do not allow it.

If you want to make this happen, do this at server side.

Make one website check, whether the session is available on other website, if yes, then act accordingly.

Note: You can't either share subdomain cookies with your main domain. Browser treats them as different. This is the same case as co.in can access all the cookies and sesions of mysite.co.in (which is not allowed)

EDIT (for alexC on SSO)

• SSO implementation doesn't necessitates having cookies anywhere.

Lets take an example:

• Google has an SSO server which does User's Session management on it. (lets name is sso.google.com dummy name)

• When we open Gmail (for the first time)

• Gmail initially has no session cookies set for it (even if the user has logged in to other google services like plus.google.com or orkut.com)

• So, Gmail site redirects the user to sso.

• Here, if the user is logged in, the cookies is already set, so this server identifies its. If the user is not logged in, a login page is shown to the user, and by which the user is logged in. The user is logged in to the sso.google.com and not on gmail.com .

• The sso.google.com then redirects user to gmail.com with a Cookie or a GET variable which contains the session token (a random generated unique session identifier string).

• This session token is then stored by Gmail in its own session. So on every further clicks, this session token is internally checked with sso.google.com whether if the session is still valid, and if yes, the pages are server or else, the user is again redirected to the sso site.

• Same applies to any other google products. And this is how session management across multiple products are done. This model is implemented mostly in SaaS based applications, where there are multi-tenants to a product.

• And as you can see this flow, there is no requirement of a cookie in all this. And even if cookie were at all relied, the user logout from one application, would had given no intimation to current application, and hence integrity and security problem would arise.

Hope this clarifies things on SSO implementation.

Answer 3

If it's a subdomain, the cookie can be shared (or mydomain.com and IMissWhitney.mydomain.com). If they are different domains, the cookie can't be shared.

EDIT: linuxeasy is right, the documentation was a bit off point and old, so here's a newer link from 2011 specifically on PHP. +1 linuxeasy

http://www.innovativephp.com/sharing-cookies-across-multiple-domains-hosted-on-different-servers/