Scott Haneda <lists@xxxxxxxxxx> writes: > Cross domain cookies are indeed possible, look at microsoft.com, msn.com and > msnbc.com which indeed do share your cookies from one site to the next, > however, they do it by redirects and get/post methods, which is perfectly > legit since they control those domains. No one outside someone with access > to those servers could implement it. I might be wrong on this analysis, but here is how I think the MSN thing works - When you go to hotmail.com, it redirects you to login.passport.com - If you do not have your cookie (from the passport.com domain), which identifies you as a valid MSN network user, you are asked to sign in. After successful sign on, your browser gets a passport cookie. - The passport now redirects you to the hotmail.com and it passes your user information using the url. I think it passes some sort of session id. Since in the background, passport and hotmail share the same database, hotmail can check on a user's authentication based on the session id passed in the URL. - The same thing happens when you go to msnbc.com. You are first redirected to passport.com and your passport.com's cookie is examined. Thus, even though you think that msn, hotmail and msnbc are sharing the same cookie, they are not. It is the passport.com that is doing the dirty work of setting and examining the cookie. -- Raj Shekhar Y! : Operations Engineer MySQL DBA, programmer and slacker Y!IM : lunatech3007 home : http://rajshekhar.net blog : http://rajshekhar.net/blog/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
