Challenging javascript cookies question

[jakepa2001]

Hi all
I'll describe what I'm trying to do, because maybe there's another avenue I haven't thought of, then I'll describe what I'm trying... All help gratefully appreciated!

I want to send users of my site, mysite.com , to a friend's site, hissite.com when they click on a link on my site. I want to send them to a given page hissite.com/targetpage.html but I want them to have a cookie that hissite.com only drops on the homepage hissite.com/index.html. So in some way I have to send my user first to the hissite.com/index.html, picking up the cookie and then forward them on hissite.com/targetpage.html with the cookie.

The way I'm doing it is with frames. In one frame I load hissite.com/index.html and in the other frame I load a page from mysite.com which redirects itself after a couple of seconds to hissite.com/targetpage.html, loading this into the top.location.href, so that the whole window is replaced by targetpage.html and the user has been successfully taken from my site to targetpage.html via hissite/index.html so he has the cookie. In theory.

In practice the problem is that this solution works on firefox browsers, but not on IE. I think it's due to cross-scripting security on IE. What happens is that the cookie dropped by hissite.com/index.html (using javascript that sets the document.cookie property) is NOT sent in the call to hissite.com/targetpage.html . If I set up the test all on one host, so that the the initial frames page, the index.html page and the targetpage.html are all on the same server, everything works fine. It's just when it's cross-site that it fails. Which is weird, because the call to hissite.com/targetpage.html is to the same server as the cookie from hissite.com/index.html came from so presents no security risk, yet IE still blocks sending the cookies..

Anyone have any suggestions, thoughts, etc? Here is the full code of what I'm doing:

Initial frameset:

<HTML><HEAD></HEAD><FRAMESET rows="*,100%">
<FRAME frameborder=0 noresize name=main src=

http://hissite.com/index.html>

<FRAME frameborder=0 noresize name=small src=

http://mysite.com/change.html>

</FRAMESET>
</HTML>

And the source of change.html:
<html>
<head>
<script language="JavaScript"><!--
function sortit() {
time1=window.setTimeout('doit()',4000);
}
function doit() {
top.location.href='

http://hissite.com/targetpage.html';

}
//--></script>
</HEAD><BODY onload="sortit();"> Please wait - redirecting..</BODY></HTML>


Thanks for your help!
Bruce

 

[BabyJeffy]

I don't want to appear like a clown and all that... but is it possible you have cookies disabled or some other security setting in IE that is preventing it from working properly? What if you specifically allow hissite.com as a trusted domain?

It's a tricky one - to be sure! I'll ponder on it some more and see if I can come up with something better.

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/

http://www.codecouch.com/jeff/blog/

[/tt]

What is Javascript? FAQ216-6094

 

[jakepa2001]

Hi - thanks for your reply - yes I'm 100% certain it's nothing to do with settings on my IE - I have set up a test between two domains that I have and have watched which surfers get the cookie and which ones don't . Firefox, netscape and IE 5.5 get it 100% of the time and IE 6.0 gets it 0% of the time.. It's something which has been changed for IE 6.0 but I'm hoping there's a way round it - there's no security reason not to send a domain back the cookies it dropped itself even if the page is requested from another frame..

It may be something users can change in their IE settings, but that doesn't help me as I have 50,000 users who have no incentive to change the setting just so my friend can track traffic on his site..

Thanks for your continued thinking

Bruce

 

[BabyJeffy]

Maybe you could send your visitors to hissite.com through use of parameters in the url -- and then these parameters can be "unravelled" at hissite.com to generate the tracking information.

Cheers,
Jeff

[tt]Jeff's Page @ Code Couch

http://www.codecouch.com/jeff/

http://www.codecouch.com/jeff/blog/

[/tt]

What is Javascript? FAQ216-6094

 

[jakepa2001]

Thanks Jeff - yes I think I'll end up doing something like that..

I found out exactly what the problem was by looking at microsoft security bulletines from 2001/2002 - they had a lot of problems with cross-frame security violations and I think it got pretty embarassing for them - they kept saying they'd fixed it and people would find new ones!

If you have your IE up to date now, the default settings mean that if you load someone else's site in a frame you do not store any of the cookies that site drops! With security set to medium in IE 6.0 (the default setting), the only way you can get cookies from a site is if that site is the parent frame or of the same domain as the parent frame. So if you load a different domain site in a frame or an iframe (I tested both) - you will get NO cookies from the 'foreign' site. If you set security to low, everything works like it should..

Thanks for your help - your initial intuition was correct. Unfortunately there's nothing I can do about the security settings on my users machines :-(

Best regards
Bruce