Home » Php » PHP Cookies for multiple Domains

PHP Cookies for multiple Domains

Posted by: admin July 12, 2020 Leave a comment


I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not designed to be accessible for other domains. For example I have set a cookies variable $user_email from domain www.firstdomain.com and want to access it in other domains like www.seconddomain.com, www.thirddomain.com etc. May be this can be done using PHP or JavaScript. Any idea please.

Thank you!

How to&Answers:

As you have already said, a cookie can only be set for a domain from that domain (including its subdomains). And if your domains do not share a common superdomain, you need set each cookie for each domain separately.

You can do this with a script that on each domain that sets the cookie for you. But make sure to authenticate requests to these scripts so that only you can set the cookies.


When searching the cookie list for
valid cookies, a comparison of the
domain attributes of the cookie is
made with the Internet domain name of
the host from which the URL will be
fetched. If there is a tail match,
then the cookie will go through path
matching to see if it should be sent.
“Tail matching” means that domain
attribute is matched against the tail
of the fully qualified domain name of
the host. A domain attribute of
“acme.com” would match host names
“anvil.acme.com” as well as
“shipping.crate.acme.com”. Only hosts
within the specified domain can set a
cookie for a domain and domains must
have at least two (2) or three (3)
periods in them to prevent domains of
the form: “.com”, “.edu”, and “va.us”.
Any domain that fails within one of
the seven special top level domains
listed below only require two periods.
Any other domain requires at least
three. The seven special top level
domains are: “COM”, “EDU”, “NET”,
“ORG”, “GOV”, “MIL”, and “INT”.

The default value of domain is the
host name of the server which
generated the cookie response.

read up here.

you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).

you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.

This could look like so.

xss.php (located on cookies.example.com):

$data = array(
'uid' => $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));

for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.

another website embeds xss.php:

<iframe id="cookies" src="http://cookies.example.com/xss.php"></iframe>

you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.

if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
 // read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.

this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.

a probably better way would be some sort of token exchanging protocol like openid.

amazon uses this too.

you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.


I had solved exactly same problem (actually also for 4 domains). The only solution I’ve came up with was, to include 3 hidden iframes on the ‘Successful login page’ and those iframes just load www.domain1.com/register_session.php, www.domain2.com/register_session.php, etc….

As a parameter for register_session.php I use ‘sid’ which contains session ID:


This is actually for keeping session alive on all those domains but the same would be for your case with cookies.


I ve done some scripts to handle multi domain cookie :



if you want to access cookie within different domains so this can be done with the help of javascript trick. As cookie can be accessed within same domain.

  1. Create cookie on user’s browser using JavaScript on your first domain.

  2. Set the name of the window to whatever value of cookie you want to carry to another domain by using window.name.

  3. Step 2 should be performed on every page of the domain which has created the cookie. It could be easily by calling a JavaScript file on all pages.

  4. When you move to another domain, and want to access the above mentioned cookie value, access it by using window.name as window has not changed.

  5. Create new cookie on this domain and assign this value to it.