How to Use Cookies Across Two Different Domains

How do I use cookies across two different domains?

On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.

It's a little complex to carry out correctly, but if you think it through it'll work out very well.

Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.

-Adam

Share cookie between domains

No, you cannot share cookies across domains. The browser will only send a cookie to the domain (or sub-domains there of) that initially set it.

Read up on the Same origin policy / Cookie policy

Get cookie of a domain by another domain

A web page rendered from one domain cannot read the cookies of another domain. This is by design and is for privacy purposes.

If you absolutely need the value, you will need to add a page to abc.com that reads the cookie and redirects to xyz.com, passing the cookie value as a querystring or form parameter. From that point, xyz.com can read the value from the request and set a cookie or otherwise provide the value to the page.

If you don't have access to xyz.com's code base, you will need to find a design that does not require the cookie to be shared.

Cookies - set across multiple domains

Create a common domain specifically for your cookies and use it as a getter/setter API.

http://cookie.domain.com/set/domain1
http://cookie.domain.com/get/domain1

http://cookie.domain.com/set/domain2
http://cookie.domain.com/get/domain2

and so on.

How to set a cookie for another domain

You cannot set cookies for another domain. Allowing this would present an enormous security flaw.

You need to get b.com to set the cookie. If a.com redirect the user to b.com/setcookie.php?c=value

The setcookie script could contain the following to set the cookie and redirect to the correct page on b.com

<?php
    setcookie('a', $_GET['c']);
    header("Location: b.com/landingpage.php");
?>

Share cookie between subdomain and domain

If you set a cookie like this:

Set-Cookie: name=value

then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a host only cookie?)

Two different domains (e.g. example.com and subdomain.example.com, or sub1.example.com and sub2.example.com) can only share cookies if the domain attribute is present in the header:

Set-Cookie: name=value; domain=example.com

The domain attribute must "domain-match" the request URL for it to be valid, which basically means it must be the request domain or a super-domain. So this applies for both examples in the question, as well as sharing between two separate subdomains.

This cookie would then be sent for any subdomain of example.com, including nested subdomains like subsub.subdomain.example.com. (Bear in mind there are other attributes that could restrict the scope of the cookie and when it gets sent by the browser, like path or Secure).

Because of the way the domain-matching works, if you want sub1.example.com and sub2.example.com to share cookies, then you'll also share them with sub3.example.com.