Re: [PHP] Setting cookies for other domains
On Friday 18 March 2005 10:32, Brian Dunning wrote: I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? When you display a webpage it very often pulls in a load of crap from other websites (eg banner ads). These other websites are able set their own cookies (for their particular domains). The browser prefs are for preventing these 3rd party websites from setting these 3rd party cookies. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
on 3/17/05 6:32 PM, Brian Dunning at [EMAIL PROTECTED] wrote: I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? I'm thinking it must be possible, and that there's a reason for the domain option in setcookie() other than subdomains. Would just love to know how to make it work... The domain option exists in scripting implementations solely for the purpose of sub domains. It is not there to imply you can use it for more than one domain, but to allow you to secure your sub domains. If you set a cookie for .example.com then test.example.com and *.example.com etc will be able to read it. This is not always what you want, in some cases, you may have intranet.example.com and www.example.com and you would not want to set the domain parameter to .example.com as that would allow one to read your intranet cookies. You will simply never make it work, it is designed to never allow this. There has been one security issue I can think of to date that allowed it, but it was patched promptly. The day someone figured out how to set a cookie for amazon.com and read it while under some other domain is the day all the news sites will be covering that topic. Cross domain cookies are indeed possible, look at microsoft.com, msn.com and msnbc.com which indeed do share your cookies from one site to the next, however, they do it by redirects and get/post methods, which is perfectly legit since they control those domains. No one outside someone with access to those servers could implement it. You are misinterpreting the prefs in browsers, they can not do what you ask. -- - Scott HanedaTel: 415.898.2602 http://www.newgeo.com Novato, CA U.S.A. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
You are misinterpreting the prefs in browsers, they can not do what you ask. That's fine, I'm perfectly willing to accept this - but can someone explain what the pref IS for? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
on 3/18/05 5:47 AM, Brian Dunning at [EMAIL PROTECTED] wrote: You are misinterpreting the prefs in browsers, they can not do what you ask. That's fine, I'm perfectly willing to accept this - but can someone explain what the pref IS for? you have not said which browser and what pref you are referring to. -- - Scott HanedaTel: 415.898.2602 http://www.newgeo.com Novato, CA U.S.A. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Setting cookies for other domains
Brian Dunning mailto:[EMAIL PROTECTED] on Thursday, March 17, 2005 4:45 PM said: Question: why didn't this work, is it supposed to work the way I was trying, and if not, then what is that domain variable there for??? Answer: Seems to me that browsers wouldn't allow this as it could create any number of security problems. Nonetheless, I've never really used the domain option but I suspect it's for sub-domains of sites you administer and not completely different domains altogether. Read here: http://wp.netscape.com/newsref/std/cookie_spec.html HTH, Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
Brian Dunning wrote: I've always known that you can specify a domain when you set a cookie, and for kicks I experimented with a test page setting a cookie for the yahoo.com. Seems to me that browsers wouldn't allow this as it could create any number of security problems. This is why the specification mentions, Only hosts within the specified domain can set a cookie for a domain. Question: why didn't this work, is it supposed to work the way I was trying, and if not, then what is that domain variable there for? It allows you to specify the domain for which the cookie is valid. When a browser makes a request, it checks for cookies to be included in the Cookie header. Only those that meet the requirements (domain, path, expiry, etc.) are included. Hope that helps. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies for other domains
I suspect it's for sub-domains of sites you administer and not completely different domains altogether. If this is true, and it's not possible for a site to set a cookie for a completely different domain, then why do browsers have security options to allow or prevent this specific action? I'm thinking it must be possible, and that there's a reason for the domain option in setcookie() other than subdomains. Would just love to know how to make it work... - Brian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies
Chris Boget wrote: We are accessing the cookie values using $_COOKIE. What appears to be happening is that when we echo the values of the above cookies on dev.change.wild.net, it is displaying the values set for on change.wild.net. Why is that? Because change.wild.net is the primary domain with 'dev' being a subdomain? Is there any way we can force it so that the cookie values are pulled for the correct domain? I think you are probably right and I think it is due to tail matching. A link from the manual pointed to: http://wp.netscape.com/newsref/std/cookie_spec.html What about clearing your cookies when you switch between your dev server and your live server. Takes a little more manual effort, but should work. - Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting cookies
--- Chris Boget [EMAIL PROTECTED] wrote: We have 2 servers, one for development and one for production. The development server is dev.change.wild.net while the production server is change.wild.net. We are using the following code to set the cookie $expire_time = time()+60*60*24*30; // 30 days setcookie( 'this', $this, $expire_time, '/', $_SERVER['HTTP_HOST'] ); setcookie( 'that', $that, $expire_time, '/', $_SERVER['HTTP_HOST'] ); We are accessing the cookie values using $_COOKIE. What appears to be happening is that when we echo the values of the above cookies on dev.change.wild.net, it is displaying the values set for on change.wild.net. Why is that? Because dev.change.wild.net is within the change.wild.net domain. This is by design. They are not different domains. You can always use: 1. dev.change.wild.net 2. www.change.wild.net or 1. change-dev.wild.net 2. change.wild.net Hope that helps. Chris = HTTP Developer's Handbook http://shiflett.org/books/http-developers-handbook My Blog http://shiflett.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Setting Cookies
-Original Message- From: Scott 'INtense!' Reismanis [mailto:[EMAIL PROTECTED]] Sent: 08 June 2002 04:52 Anyhow basically what is happening, is that cookies are been set fine, however say I try to set two cookies in the one script i.e. setcookie(username, $HTTP_POST_VARS['username'], time()+31536000); setcookie(password, $HTTP_POST_VARS['password'], time()+31536000); only the cookie that was called last, i.e. 'password' will be set. I only started noticing this problem since I installed php4.2 and apache2.0, is that the cause? Yes. (There are several bug reports at http://bugs.php.net/ about this -- I *think* it's been fixed in the development version of PHP 4.3) Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Setting Cookies
Yes, setting and cookie and redirecting in the same request is not reliable. Some browsers can do it sometimes, others can't. -Rasmus On Mon, 10 Dec 2001, Steve Osborne wrote: I am attempting to use the SetCookie command. I receive the following error: Warning: Cannot add header information - headers already sent by (reference to current page)... At this point I have authenticated the user, and am trying to set the cookie before redirecting them to the registered users section. Should I be setting the cookie on the top of the page that I am sending them to? Any comments or suggestions would be greatly appreciated. Steve Osborne [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Setting Cookies
Not necessary on the top, but before any html begins Zliy Pes, http://zliypes.com.ua - Original Message - From: Steve Osborne [EMAIL PROTECTED] To: PHP-General (E-mail) [EMAIL PROTECTED] Sent: Monday, December 10, 2001 9:39 PM Subject: [PHP] Setting Cookies I am attempting to use the SetCookie command. I receive the following error: Warning: Cannot add header information - headers already sent by (reference to current page)... At this point I have authenticated the user, and am trying to set the cookie before redirecting them to the registered users section. Should I be setting the cookie on the top of the page that I am sending them to? Any comments or suggestions would be greatly appreciated. Steve Osborne [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Setting Cookies
On Monday 10 December 2001 14:39, Steve Osborne wrote: Warning: Cannot add header information - headers already sent by (reference to current page)... At this point I have authenticated the user, and am trying to set the cookie before redirecting them to the registered users section. Should I be setting the cookie on the top of the page that I am sending them to? Yes, or do what I do and redirect to a dologin page that sets the cookie and autorefreshes after one second to the real page, which requires the cookie to be set already. -- Casey Allen Shobe [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]