Setting the CurrentContact Cookie domain for sharing across Kentico sites - cookies

I am working in Kentico 11. I have multiple sites in the same Kentico instance each hosted on subdomains of a primary domain (news.example.com, www.example.com). I want to share the currentcontact cookie between those subdomains. Currently each of the subdomains show that cookie originating from that specific sub.
How can I set it up so that the currentcontact cookie and its value is available across the subs?

one approach is what Vasu had suggested where you can leverage the fact, that subdomain cookies can be shared to some extent, though browsers by default do try to separate even these to certain extent.
Another would be to create a so-called super-cookie which goes above domains (https://security.stackexchange.com/questions/122372/how-to-detect-inspect-and-delete-a-super-cookie-of-a-specific-website )
Than you can create your own implementation of ICurrentContactProvider or IContactPersistentStorage interfaces where GetPersistentContact or respectively GetExistingContact methods would look at other cookies or supercookie as well to track contact across domains.

Related

Is it possible to swap user cookies/profiles with Tamper/Greasemonkey?

The chrome "swap my cookies" extension allows you to swap between multiple 'profiles' in chrome, that span all sites.
I'm attempting to create something similar for testing my own web services, so I'd like to restrict it to only my domains.
What would be convenient, is to be able to do this from a small userscript using tampermonkey or greasemonkey to add a menu that would swap cookies etc.
Does anyone have any idea on how to get started? Or if it's at all possible?
If your cookies are not httponly you can load them with document.cookie, save them with GM_setValue('cookie_profile_a',document.cookie) and GM_getValue('cookie_profile_a') or in the localStorage with localStorage.setItem('cookie_profile_b',document.cookie) and localStorage.getItem('cookie_profile_b'). For creating a menu in Tampermonkey you can use existing solutions like GM_config (https://stackoverflow.com/a/14594346#43462416).
An extension can have access to all cookies from all domains but content scope script, like page scripts and user-scripts have access to its document cookies only for its domain. That is a security measure to prevent page scripts interfering with cookies from other domains.
Furthermore, page script have no access to browser profiles.
Therefore what you have asked for is not possible with any content/user script.
It is possible for a user-script that runs on multiple domains to read/write cookie data once injected into those domains.
Therefore, a script running on A, B, C domains can get/copy data from cookies from domain A after getting injected into A, then store the data and then write the data in cookies in domain B after getting injected into domain B.

What is a "friendly third-party" cookie?

I hear that some web analytics solutions or consultants recommand the use of "friendly third party cookies".
How do they differ from "regular" 3rd party cookies?
What are there pro & cons compared to usual 3rd and 1st party cookies?
The difference is only in the name of the domain the cookie comes from. The domain name of a 'friendly' 3rd-party cookie may be similar to the 1st-party domain - making it appear 'friendly', as opposed to a potentially 'non-friendly' unknown/unrelated 3rd-party domain.
To a browser, the cookie is still considered '3rd-party' (i.e. not from the current host domain). To a user, they may be more willing to accept the cookie (if they are given a choice), or maybe less likely to delete it later, if the domain name appears familiar.
A 3rd-party cookie (if the browser/user accepts it) can maintain the identity of a single visitor across multiple domains. This is why they are considered a privacy concern. If you use 1st-party cookies on multiple domains, the visitor would receive a unique visitor ID cookie from each site on arrival (unless you use something like Google Analytics cross-domain tracking on all inter-site links to stitch the ID's together.)

By what mechanism is a third-party cookie placed, and how does it have access to, say, what you just searched for?

I understand the concept of third-party cookies, but don't understand by what mechanism they are placed (if you're visiting Domain A in our browser, why is it that not all cookies placed have to come from Domain A?). Furthermore, I don't understand how they have access to, say, search parameters? (I'm referring to the common occurance of, say, searching for "buy a watch" on Website A and then visiting a Website B later and seeing advertisements for watches).
Any help would be appreciated!
Third-party cookies are placed by 3rd-party content. That is to say an image, iframe or other resource coming from a domain other than the page you're on (like an ad from an ad server).
Third-party cookies cannot access information from the main site directly but no technical means prevents the first and third parties from sharing that data with each other behind the scenes (ie, through corporate deals). Then again, for all you know company A owns company B or vice-versa.
Therefore in the example you provided company A would trade or sell your search queries to company B and they'd use some sort of identification process to match the results (like the time and IP of the request).
I understand the concept of third-party cookies, but don't understand by what mechanism they are placed (if you're visiting Domain A in our browser, why is it that not all cookies placed have to come from Domain A?).
A site sets the cookie by sending a cookie header along with the page content. They look like this:
Set-Cookie: NAME=VALUE; expires=DATE; path=/; domain=.stackoverflow.com; secure
As you can see, the cookie header includes a parameter that allows the site to set the domain to anything it wishes, even domains that differ from the web server's actual domain. When they differ, it's called a third party cookie. It's up to the browser to decide whether to accept them.
Furthermore, I don't understand how they have access to, say, search parameters? (I'm referring to the common occurance of, say, searching for "buy a watch" on Website A and then visiting a Website B later and seeing advertisements for watches)
Typically the cookie will set an identifier that represent you as a unique viewer on the web site, then start a database on the back end that tracks where you've been. Different parties share access to this database (via B2B web services on a paid basis). They can use your cookie to get your ID, look you up in the database, and see where you've been and what kind of products you've viewed.

Setting default cookie domain for Django site with multiple domain names

I would like to set a specific cookie domain for my cookies, because this might solve some issues our site seems to have with IE8. Django seems to have a setting called SESSION_COOKIE_DOMAIN which can be set to obtain this. The problem however is that our site contains multiple subsites which have alternative domain names. So my question is, how can I manage this? I would like to have a standard cookie domain per domain, because I fear browsers like IE8 will reject cookies which aren't from the same domain (quicker).
I will do research myself, but I wondered if anyone perhaps has experience.
Update:
What I actually want to do is to make django store cookies for domain1 when I visit domain1.com etcetera for the other domains. I think it should be as easy as to use the current client domain when storing cookies. I doubt however that django offers such functionality without modification... Maybe I could build a middleware class that changes the global setting to the current domain..
Update:
This question and answer helped me out:
Changing Django settings variable dynamically based on request for multiple site
Thanks for help :)
Cookies can't be stored or retrieved for other domain names. In other words, if I am at yahoo.com I can't get the cookie for google.com. However, foo.yahoo.com and bar.yahoo.com can both retrieve cookies saved at .yahoo.com.
If you are running a website with multiple subsites, if they all share the same basic domain (i.e. site1.domain.com, site2.domain.com, etc) you should use that domain for SESSION_COOKIE_DOMAIN. But if they have different domains, it's basically impossible for them to share cookies without using some other method of getting the cookies. You can, for example, include images or scripts that point to a central site, and that site can store and retrieve the cookies, which are made available to the rest of the page via JavaScript.
If you must keep these alternate domain names, you can always set your web server to redirect immediately from these alternate domain names to the shared standard domain. This is easy to do with mod_rewrite.

How do I allow users to map their domains to a url on my site?

How do I allow users to map their domains to a url on my site? (like how tumblr or blogger does)
The app is being developed in Django. I want the users to be able to map their domains to mydomain.com/username (is this possible or do I need to have a format like username.mydomain.com?)
Also my app runs on a VPS so I have my nameservers as ns1.mydomain.com and ns2.mydomain.com.
easiest way is through domain cloaking. most domain name providers will allow users this option.
another easy idea is to provide your users with a very generic html page that just includes their url on your site in an iframe and have them places that as their default directory index (e.g. index.html).
both the aforementioned would always show the base domain (without trickery). as noted below, a CNAME DNS record would take care of this, assuming they have the ability to edit DNS records...
www.someuserdomain.com. CNAME username.yoursite.com
In that case, you will have to consult your specific hosting setup for how to programmatically change your DNS settings. Whether you can actually do this depends on the host. If your server is running a DNS server that you have access to, you can probably change it that way.