Richard Lynch wrote:

>Would setCookie('user_id', $PHPSESSID, 0, '/');
>let you get away with setting the cookies for the "other" site? 

Luckily no. :-)

There are vulnerabilities in IE 4.0 - 6.0 that will let you read/write 
cookies not in your domain, but this is a result of a bug in IE and not 
ordinary behavior.

>Hey, but all those stupid "Banner Ad" sites give me a cookie from the
>*other* guy's site.
>All ya gotta do is have three invisible GIFs on all three sites that come
>from the *other* sites and the GIF does the set_cookie() of whatever their
>user ID is.

I'm not sure where you got this idea, but you should investigate 
further. A banner ad is usually nothing more than an image, and your 
browser will make a complete separate HTTP GET request for that image. 
When that is the case, there is no way the remote site can read or write 
cookies outside of its own domain. They can set cookies from their own 
domain, and you might see the cookies warnings on the same "page" or 
whatever, but the domains will definitely be different.

Happy hacking.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to