Miscellaneous Hacks - CES Cookie Cutter - Share Cookies Between Domains

CES Cookie Cutter
vBulletin 3.6.x, 3.7.x, & 3.8.x supported
Version: 1.2.3

*** NEWS ***
4/12/2009 - v1.2.3 released
4/11/2009 - v1.2.2 released
8/8/2008 - v1.2.0 released
2/18/2008 - v1.1.5 released
2/11/2008 - v1.1.0 released
2/13/2007 - v1.0.0 released

Known Issues:
- none

What It Does:
Shares cookies among domains for seamless vBulletin login/logout functionality across multiple domains.

Basically if you have more than one domain name, or you have private forums scattered among domains, and all vBulletin instances use the same vBulletin database, this hack allows for integrated, synchronized login/logout on all domains at once.

Products to Install: 1
Plugins Included: 3
Files to Upload: 1
Templates to Edit: 0
Files to Edit: 0

Mod Features:
- Adds a field in vBulletin Options to enter multiple forum URLs
- Integrates login/logout functionality at all forum locations
- safety cookie settings available for users who left their cookie domain blank in vBulletin cookie options

Changelog:
Version 1.2.3:
- bug fix: only logouts integrate

Version 1.2.2:
- bug fix: XSS flaw
- bug fix: remember me

Version 1.2.0:
- updated: no more template edits
- updated: rearranged the whole mod
- bug fix: IE P3P failure

Version 1.1.5:
- new feature: cookie debug mode
- bug fix: global cookies only apply to www

Version 1.1.0:
- extended: now supports domains sharing the same file location
- bug fix: integrated login is not bidirectional
- bug fix: integrated login fails if forum is turned off
- bug fix: redundant cookies are generated

* This mod is offered for free here. Please donate if you like this mod *

[thincom2000]

If the forum also doesn't physically exist until a subfolder, you should include it in the settings. Say: subdomain.site1.com/forum

Otherwise, everything looks like it's correct and functioning properly.

[dfc005]

Nope, the forum doesn't sit in any subdirectory. Just in the root of those subdomains.

Dammit, was hope I was missing something really simple and easy and it would fix all my problems.

[dfc005]

OK, I tried popping up the src for the fake "image" into a new window, to prove to myself those files were working and setting cookies and sessions. If I do this, it works perfectly in IE and Firefox. Not exactly a perfect solution but proves that the idea does work.

I then also moved the fake "images" to the top of the STANDARD_REDIRECT template so they got loaded first rather than last. Seemed to help my Firefox problem with only a couple of the domains picking up the cookie/session.

So still, my only problem is in IE. It just doesn't seem to work at all. I'm using IE7 and just stumped.

[thincom2000]

I should be able to update the mod with some javascript that will wait until all fake images are loaded before executing the redirect, which could also help with your IE problem considering everything else seems to be correct.

[dfc005]

That would be fantastic if you could.

Is it possible the IE problem is actually cross domain policies and the like?

[thincom2000]

It works in IE7 on my test site, so I doubt that.

[dfc005]

OK, here's my latest findings.... It was cross domain privacy policies for me. What do you have your privacy set to in IE?

I set the following at the beginning of the ces_cookies.php and that has fixed my problem for IE. Works like a charm now.

PHP Code:

header('P3P:CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"'); 


Found another problem though. And not sure if it's your script that's doing it or not! It seems when I try and login without checking "Remeber me?", it logs into all sites except the one I'm actually logging into? Any ideas on that one?

[thincom2000]

Interesting. I would like to read a little more about the header you have posted. Can you provide a documentation link for your findings?

It's possible that this mod is causing the cookies not to be set, so I guess I'll have to remove the efficiency check I added, which prevented the mod from adding an image for the current domain (since the originating script should have taken care of those cookies).

[dfc005]

Sure mate, here's a few links. They all refer to cookies not being set in iframes but I assume that the fake "image" would have the same problem.

http://aspnetresources.com/blog/fram...d_cookies.aspx
http://gathadams.com/2007/06/25/how-...-applications/
http://james.jamesandkristin.net/200...rnet-explorer/

[dfc005]

Any more thoughts mate? What was your privacy set to in IE?