471,091 Members | 1,526 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,091 software developers and data experts.

Writing Cookie fail in two server !

Hi:
I have a problem with writing cookie from Jacascript.
My problem is that I have two server,
one is A, and the other is B.
(1) I call a aaa.html from A.
In aaa.html :
...
<iframe id="frame1" src='http://B/bbb.html'></iframe>
...
(2) In bbb.html :
document.cookie="key=123";
alert(document.cookie);

I fail to write key=123 to cookie.
Is this because of different ip?
Is there any other way to write cookie?
Any suggestion will be very appreciate.

Thanks a lot!

marshalli
Jul 23 '05 #1
2 1492
marshalli wrote:
Hi:
I have a problem with writing cookie from Jacascript.
My problem is that I have two server,
one is A, and the other is B.
(1) I call a aaa.html from A.
In aaa.html :
...
<iframe id="frame1" src='http://B/bbb.html'></iframe>
...
(2) In bbb.html :
document.cookie="key=123";
alert(document.cookie);

I fail to write key=123 to cookie.
Is this because of different ip?
Is there any other way to write cookie?
Any suggestion will be very appreciate.

Thanks a lot!

marshalli


Hi

Cookies are stored per domain.
So your cookie is there, but not readable for the other server.

That is how it should be.
If all domains could read all cookies, it is very easy to get your hands on
information that is none of your business, and 'steal' sessions.
For example:

page 1: My site where I sell great universal translators (fish).
page 2: Your session to your bank, where you modify your savings.

I could get your sessionid from a page1, pretend I am you, and transfer some
ammount to my account. If you are lucky I send you a Babelfish back.
Anyway: it is very unsafe if cookies are shared between domains.

(Actually, early version of Netscape allowed it. That was changed when
people realized it was very unsafe.)

This is a bad example because most banks use better security than a session
stored in a cookie, at least the bank I use.

So I think you cannot use cookies.
You can of course send information to another domain by posting it, or using
url-encoding in the get-string:
http://www.myfish.com/index.php?name...lyname=Prefect

But that is of course something else than a cookie, and is also a bad way to
start a session (because you have 2 sessions, one on both domains)

Hope that helps.

Regards,
Erwin Moller

Jul 23 '05 #2
Hi:
Thank you for your help.
The problem is that my web page will read/write cookie for myself.
Other server will include my web page

That means A will include B
and B will read/write B's cookie.
B didn't want to read/write A's cookie.
I think it shouldn't have a security's problem.
Am I wrong? Or anything I didn't think about?

Thanks a lot.

marshalli


Erwin Moller <si******************************************@spam yourself.com> wrote in message news:<41***********************@news.xs4all.nl>...
marshalli wrote:
Hi:
I have a problem with writing cookie from Jacascript.
My problem is that I have two server,
one is A, and the other is B.
(1) I call a aaa.html from A.
In aaa.html :
...
<iframe id="frame1" src='http://B/bbb.html'></iframe>
...
(2) In bbb.html :
document.cookie="key=123";
alert(document.cookie);

I fail to write key=123 to cookie.
Is this because of different ip?
Is there any other way to write cookie?
Any suggestion will be very appreciate.

Thanks a lot!

marshalli


Hi

Cookies are stored per domain.
So your cookie is there, but not readable for the other server.

That is how it should be.
If all domains could read all cookies, it is very easy to get your hands on
information that is none of your business, and 'steal' sessions.
For example:

page 1: My site where I sell great universal translators (fish).
page 2: Your session to your bank, where you modify your savings.

I could get your sessionid from a page1, pretend I am you, and transfer some
ammount to my account. If you are lucky I send you a Babelfish back.
Anyway: it is very unsafe if cookies are shared between domains.

(Actually, early version of Netscape allowed it. That was changed when
people realized it was very unsafe.)

This is a bad example because most banks use better security than a session
stored in a cookie, at least the bank I use.

So I think you cannot use cookies.
You can of course send information to another domain by posting it, or using
url-encoding in the get-string:
http://www.myfish.com/index.php?name...lyname=Prefect

But that is of course something else than a cookie, and is also a bad way to
start a session (because you have 2 sessions, one on both domains)

Hope that helps.

Regards,
Erwin Moller

Jul 23 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by Google Mike | last post: by
5 posts views Thread by AHN | last post: by
20 posts views Thread by Brian Burgess | last post: by
17 posts views Thread by neerolyte | last post: by
1 post views Thread by Peter | last post: by
7 posts views Thread by What-a-Tool | last post: by
7 posts views Thread by Christoph Pieper | last post: by
reply views Thread by Nicolas Joly | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.