Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, February 25, 2012

Coordinated cookies

After working front-line support for about a year and a half, I managed to escape to a world which was intended to help the support teams. We were supposed to analyze hot spots, find the pain, and then eliminate it. Our name was "Service Innovation". For me, it amounted to finally having a place in the org chart which would officially let me create the things I had been doing anyway.

Even though I was no longer officially part of the support organization and had actually been moved off the floor to make room for even more people, customer issues would still float past me. It was interesting how it would happen.

My friends out on the support floor would occasionally get customers on the phone asking questions which were "out there" and definitely beyond what the company officially supported. They were still questions about web hosting and how things of that nature worked, but they were just too esoteric to reasonably expect every tech to know about them.

One day, a chat window popped up, and my friend said he had a customer who "... needed cookies to work on multiple domains". I grimaced and told him that browsers aren't going to play nice with such things, and he'd need to do some special magic to force the issue. So then he asked if it was technically possible, magic or no, and if I knew a way to do it. I said, yes, it can be done, and I suppose I could tell him about some of the tricks I've seen in use on the web.

Well, not long after this, the customer really wanted to talk to me to eliminate the back-and-forth. Now, granted, I was in an office with 7 other people, but I did have a phone, and that phone still had my old headset attached, so I decided to mess with my officemates and took the call.

The situation was simple enough: our customer had two completely separate domain names and wanted users to stay logged in across both of them. He was running into the same-origin policy stuff and needed a way around it. I decided to tell him about some of the things which some sites had been caught doing around that time. If you landed on site B without a cookie, it would try to bounce you off site A where maybe you did.

Site A would be able to see your cookie, and it would then redirect you to a dynamically-generated path back on B which included the content of your cookie. B could then set that in its next response, and it was done. You'd now present the same cookie to both sites. Since they both shared the same backend lookup tables, you'd now be logged in with A.

The exchange looked like this:

  1. User accesses http://b/xyz and doesn't convey a cookie
  2. Due to the lack of a cookie, B issues a 302 redirect to http://a/getcookie/b/xyz
  3. The user's browser automatically loads http://a/getcookie/b/xyz while presenting their cookie called "id" with the value "4077".
  4. A notices the "id" cookie and generates another 302 redirect to http://b/setcookie/id_4077?xyz
  5. The user's browser follows that redirect and loads http://b/setcookie/id_4077?xyz.
  6. B emits one final 302 redirect to http://b/xyz and also adds a "Set-Cookie: id=4077" header while doing it.
  7. Finally, the user's browser loads http://b/xyz again, and this time, it presents a cookie, so B returns a logged-in result.

During all of this, there's a little lag, and the location bar may flicker once or twice, but then it's done. If they click 'reload', it doesn't happen again, since now the cookie is already there.

This had never occurred to him, and he was happy to hear about it. He was also very happy that he was able to call up and talk to someone who "really does this stuff". I had to tell him that while I did meddle with cookies and stateful web stuff now and then, I never did that particular hack myself. I had been lucky enough to not need it.

In my case, this customer wanted things to "just work" for his visitors. He wasn't doing any funky ad stuff to combine profiles or other things of the sort. His trick would only work if both sites were willing to "play ball" and exchange things this way. Since he ran both of them, he could make it work.

Now, imagine instead that my customer had two properties which were huge and each had a whole bunch of data about you. Maybe one was a database he built up himself and the other was one he got by buying the company which owned it. Maybe one side knows where you went to school, and the other side knows what you do for fun on the weekends. Being able to combine that would let him sell all kinds of ads!

Also, to make things even better, he could come up with something which would make people tell him the answers to those questions. Then, he'd just have to rework his privacy policy to allow all of this info to be squished together without getting the FTC on his case.

Wow! It's a good thing nobody else thinks like this!