REMINDER: Sydney November Meetup

Events happening in the community are now at Drupal community events on www.drupal.org.
rcross's picture
Posted by rcross on November 17, 2009 at 3:42pm

Just a reminder for the Sydney November meetup tomorrow: http://groups.drupal.org/node/30038

Please signup if you plan to attend.

Categories:

Comments

3rd Party Cookies

Posted by murrayw on November 23, 2009 at 6:49am
murrayw's picture

I made a statement at the last meeting concerning third party cookies and whether they can be use to aid logins across sites on different domains. The basic statement was along the lines of 'you can't do it because browsers block third party cookies by default these days.' It seems that reality is a bit more complicated than this and I thought I just post up some clarifying points.

Lets say we are dealing with the following domains: tracker.kom and goodguy.kom.

It is important to distinguish between the sending of third party cookies which (i) you have received when visiting tracker.kom site directly vs (ii) set/send when the tracker image/iframe is embedded in the site being viewed - goodguy.kom.

It appears that IE and Opera block the second case by default. For a short time FF3b3 took a hard line and blocked both situations. FF then relented and I gather that they just block the second approach to keep in line with the other browsers. The FF devs were a bit annoyed at this because it is possible to circumvent this weaker approach by redirecting users from goodguy through tracker where they get the first party cookie and then back to goodguy where it will continually be sent.

https://bugzilla.mozilla.org/show_bug.cgi?id=417800
http://foolswisdom.com/firefox-3-saved-cookies-still-too-tasty-by-default/

What does this mean for our conversation regarding single signon? Well, it appears that things will be sweet because the user will have already voluntarily visited the third party site and received the cookie. This means that when a visitor lands on goodguy.com the cookie will be sent back to tracker.com. So yes, the cookie will work. How does this help us with signon though? Goodguy still has no knowledge of the cookie so I'm not really sure how it can be used. Maybe I am missing something.

An alternative would be to pass a salted hash of the user id through to goodguy in the query string. This wouldn't stop replay attacks though. You could google "nonces" and look at oauth for ways of solving that problem. Oh joy.

http://en.wikipedia.org/wiki/Cryptographic_nonce
http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iii-security...

cheers

Murray

Managing Director
Morpht

Australia

Group categories

Location

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: