Main site - www.example.com
App site - app.example.com
The cookie is created on app.example.com, but should also work for www.example.com.
setcookie("gacookie", time(), time()+31536000, '/');
Is this possible? What would be the code?
The cookie is being used to create a filter for GA that will exclude all current members of my application. The cookie is set the first time they log in. Both the main domain and the subdomain use the same GA tracking code.
Also, if another site that I visit has a cookie with the string "gacookie", will that effect the Google Analytics filter, or will it only ready cookies from the domain and subdomain it is tracking...
Here are more details on how to integrate tracking across sub/domains.
http://code.google.com/apis/analytics/docs/tracking/gaTrackingSite.html
Related
I am trying to set up Google's server-side tracking to pass data from a website to Google Ads in a first party context. I understand how this works and I have done this before. The setup requires you to add 8 DNS records to your domain (4 A records and 4 AAAA records) all using the same hostname that you have set as the subdomain. I have never had an issue until I tried to set this up using a Shopify-hosted domain. Shopify does not let you add multiple A/AAAA records having the same name. I also tried using # as the name which did not work either as that is the same as the default domain that Shopify sets when you host your domain with them. Shopify have confirmed that this is not possible and no other domain hosts give me this issue.
Is there any workaround here? This essentially means that if one is using a Shopify hosted domain, they cannot make use of this server-side tracking by Google which will become vital with the removal of Chrome's 3rd-party cookies coming up!
I tried to add the records in and it did not let me and threw an error.
As the owner of domain example.com with many content what security risks arising from providing subdomain to third party company. We don't want to share any of the content and the third company would have complete control over the application and machine hosting the subdomain site.
I'm concerned mainly about:
Shared cookies
We have cookies .example.com, so there will be sent also in the requests to subdomain. Is it possible for us to point A record to reverse proxy where we strip the cookies and send the request to third party provider without them?
Content loading from main domain
Is it possible to set document.domain to example.com and do XMLHttpRequest to the example.com?
Cross site scripting
I guess that it would be no problem because of the same origin policy. Subdomain is treated as separate domain?
Any other security issues?
We have cookies .example.com, so there will be sent also in the
requests to subdomain. Is it possible for us to point A record to
reverse proxy where we strip the cookies and send the request to third
party provider without them?
Great idea, you could do this yes, however you will also need to set the HttpOnly flag, otherwise they would be able to retrieve them with JavaScript.
Is it possible to set document.domain to example.com and do
XMLHttpRequest to the example.com?
No, subdomains for Ajax are treated as a different Origin. See this answer.
I guess that it would be no problem because of the same origin policy.
Subdomain is treated as separate domain?
JavaScript code could interact with each other subdomains - but only with the cooperation of your site. You would also need to also set document.domain = 'example.com'; If you do not do this, you are secure against this threat.
See here:
When using document.domain to allow a subdomain to access its parent
securely, you need to set document.domain to the same value in both
the parent domain and the subdomain. This is necessary even if doing
so is simply setting the parent domain back to its original value.
Failure to do this may result in permission errors.
Any other security issues?
You need to be aware of cookie poisoning. If evil.example.com sets a non host-only cookie at .example.com that your domain believes it has set itself, then the evil cookie may be used for your site.
For example, if you display the contents of the cookie as HTML, then this may introduce XSS. Also, if you're using the double submit cookies CSRF prevention method an evil domain may be able to set their own cookie value to achieve CSRF. See this answer.
on my website I have Google Tag Manager with a GA Universal Analytics Tag installed. All images on the site are on a dedicated subdomain: images.example.com
My issue is that Analytics sets its _ga cookie to ".example.com" so it is sent along with all requests to images.example.com. I would like to set the cookie domain to "example.com" (without the dot) so it does not apply to my image-only subdomain.
I have already set the "Cookie Domain" setting to a macro which is a constant with the value "domain.com" and even though the container is properly published the cookie domain remains ".example.com"
Do you guys have any hints on how I could change the cookie domain?
Use the cookie domain "none"
This will set a host-only cookie which will not be sent for all subdomains. Except in IE.
See the localhost example here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/domains
I have a setup with the following domains:
mydomain.com
www.mydomain.com
There is one problem (tested on Internet Explorer):
if some cookie is set for mydomain.com, this cookie is also effective for www.mydomain.com even if I set a cookie with the same name for www.mydomain.com.
More specific examople:
1) the user chooses his prefered language on website mydomain.com and I set the cookie usrlng=en
2) next day someone else uses the same computer, naviagtes to www.mydomain.com and chooses his language, and I set the usrlng=de. But Internet Explorer keeps sending both cookies usrlng=en and usrlng=de to the server (I see this in Fiddler)! Why is it sending the same cookie twice and not overriding 'usrlng' with the subdomain value?
At the same time I see that PHPSESSID is being overwritten correctly for the subdomain, there are no two PHPSESSID cookies being sent to the server.
How can I fix the usrlng cookie and make it work the same way as PHPSESSID works?
You can also set a different save_path for each... so they don't share the sessions.
PHP example:
$subdomain = array_shift(explode('.',$_SERVER['HTTP_HOST']));
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
PHP needs access to write in the sessions directory.
For now I solved the problem by setting the 'host' of the cookie instead of 'domain'; 'host' property allowed to limit the cookie to mydomain.com or www.mydomain.com.
Maybe that is the only way to go and 'domain' cannot be set up to oveeride top level domain cookies.
I'm currently doing development on a site for a client. This site will be hosted on a subdomain of the client's main site. The client's main site is
www.xyz.com
and the site I'm working on will be hosted at
funds.xyz.com
Anyone who visits www.xyz.com will have a cookie written to their machine which contains data specifying the user's region. I need that data on my site. Is it possible for me to get access to this cookie?
Yes, so long as the cookie is set for domain ".xyz.com" (note the leading "."). This makes the cookie available to all subdomains of xyz.com
On the other hand, if the domain is "www.xyz.com", the cookie is only visible to the www subdomain.
I believe if you create a cookie with domain name: .xyz.com it will be accessible across all sub domains.