Cookies Across Domains

by Chris Payne

Introduction
We all know and love cookies, for the liberties they allow us, and their delicious taste. If you've ever tried to share your cookies, however, you know that it's not as easy as it sounds.

Okay, cutting the baker talk. Cookies are very useful for developers - keeping track of users, performing many functions cheaper than more expensive databases, personalization and customization, etc. Cookies are not transferrable across domains; the only domain that can access the cookie is the domain that created it. This article takes a look at how to bypass this limitation using Active Server Pages.

Cookies - A Brief Introduction
We're going to take a short detour and explain cookies a bit, and show you briefly how to manipulate them using ASP.

A cookie is a small file that is stored on a client's computer. That means that whenever a user visits your web site, you can secretly stash a file with information on their hard drive. This file can contain almost any information you want - including user info, site statistics, or even your own name, for those with vanity problems. We can see how this could potentially be an easy target for hackers because of the possibilities it opens up.

One security trick to prevent abuse is that cookies can only be accessed by the domain that created them. This means that, for example, ASP101.com can only access (read from and write to) cookies that ASP101.com created. Generally, this is not a problem at all, but what if you work on two different sites on different domains that share user info, that is stored in cookies? You could, of course, just duplicate user info, but what if you want the user to only have to register on one site, and be automatically registered on the other? Or if they share the same user database, and you want to auto-login users? Sharing cookies across domains is ideal for this situation.

Before we get into that however, let's briefly show some ASP code that can manipulate cookies, so we have something to refer to later in the article.

'To write a cookie

Response.Cookies("MyCookie").Expires = Date + 365
Response.Cookies("MyCookie").Domain = "mydomain.com"
Response.Cookies("MyCookie")("Username") = strUsername
Response.Cookies("MyCookie")("Password") = strPassword

Reading and writing cookies is very simple. The above code sets a few properties for the cookie, the expiration date and the domain, and also sets a few values to be stored in the cookie. In this case, strUsername, and strPassword are variables we assigned somewhere earlier. Then, to read from a cookie, you simply request the values:

'To read a cookie

datExpDate = Request.Cookies("MyCookie")
strDomain = Request.Cookies("MyCookie").Domain
strUsername = Request.Cookies("MyCookie")("Username")
strPassword = Request.Cookies("MyCookie")("Password")

For more detailed code using ASP, check out this sample on ASP 101.

The Easy Way
The secret to sharing cookies easily is redirection. Here is the general procedure:

A user hits siteA.com
If user does not have cookie for siteA.com then redirect user to siteB.com
If user has a cookie for siteB.com then redirect back to siteA.com with a special identifier (explained below), else, just send user back to siteA.com
Write cookie on siteA.com
Sounds pretty simple, huh? Let's expound a bit: siteA.com and siteB.com share the same set of users, and therefore if someone has a cookie (and is registered) at siteB.com, then siteA.com wants to be able to view those cookies as well, and provide whatever features the cookies allow. This way, visitors to siteA.com will have a similar experience to those at siteB.com.

The key to this checking should be done in a cookies.inc file that you include on your pages on siteA.com. Let's take a look at the code on siteA.com:

More...
http://www.asp101.com/articles/chris/transfercookies/default.asp