The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 11:29:22 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Set/Read cookies to/from an <img> call in Javascript  (Read 4269 times)
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« on: June 19, 2007, 12:48:38 PM »

Has anyone ever tried to send an image request to a server and include some cookies on it? I am specifically interested in being able to set cookies then call for an image and have those cookies appear at the server... then put cookies back into the header and send back a 1x1 gif or something - so in the onLoad event of the img tag I know that it has arrived and the cookies would have as well... then I could get values I am looking for from my server from the newly arrived cookies.

I have some ideas about where to start, but I was hoping someone might be able to accelerate me...

Thanks in advance,
/perk
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #1 on: June 19, 2007, 03:54:42 PM »

per our phone conversation but to put it here as well for others.

in a word, no.

since you are talking about using and image beacon to hit a domain that the user is not currently on, a remote domain, the cookie will be associated with that remote domain. Not the local domain that the user is on. There is no point at which the cookie from the remote domain will be able to cross contexts to the local domain.

The image beacon is basically just like an IFRAME conceptually.
Your user is on localdomain.com
in the page there is am img tag with a URL of: remotedomain.com/cookiemaker.php
That plants a cookie on the user's machine, but the cookie is owned by remotedomain.
JS within the page cannot read that cookie, because the JS is under the localdomain context, and as such is prevented from the cookie.

unless im wrong of course Smiley
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #2 on: June 19, 2007, 07:38:06 PM »

being that i just saw you cross posted to syndk8. You mean drop a cookie from 1 domain via the img tag, and then read it from another domain using whatever method you can, JS, server side, etc. right? if so, I stick to my original answer, and if im wrong, i REALLY want to know how to do that...
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #3 on: June 19, 2007, 10:18:50 PM »

Nope, you're right on the dot... and a bit of research and thinking bears your explanation out pretty well. It's a bummer, but the truth is, a lot of WAY more black folks than you and I would have handed us our testicles for lunch if that was available... so it's probably best closed down.

 Undecided
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
m1t0s1s
Rookie
**
Offline Offline

Posts: 17

script src=tinyurl.com/2qgmau


View Profile WWW
« Reply #4 on: June 28, 2007, 07:30:15 PM »

Nope, you're right on the dot... and a bit of research and thinking bears your explanation out pretty well. It's a bummer, but the truth is, a lot of WAY more black folks than you and I would have handed us our testicles for lunch if that was available... so it's probably best closed down.

 Undecided

What about using browser exploits? Too blackhat? Not sustainable? Or earning the google interstitial "This website may damage your computer"?
Logged

No links in signatures please
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #5 on: June 28, 2007, 07:55:32 PM »

Nice idea and I probably would if this were a black venture, but I need it to be as clean as possible for this app.

I'm good to go now, the technique I settled on was the XRPC in the "It's time to give up on XMLHTTPRequest" thread.

Thanks tho m1!

/p
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
ratthing
Journeyman
***
Offline Offline

Posts: 75


View Profile
« Reply #6 on: November 13, 2007, 12:08:51 PM »

Dredging up an old topic, I know, but I saw something interesting today which verified something I'd remember from working with Urchin a few jobs ago having to do with remote statistics monitoring for "campaigns" that goes on in big enterprise firms that do a lot of advertising.

Take a look at mickeys.com.  It has a 2px tracking image embedded and a whole bunch of cookie info for omniture.com's tracking system that goes off to another domain of Miller Brewing--you can see this using Live Http headers plugin.

I've been looking at these types of sites trying to figure out how their setting their age cookies since I need to do that on one of my sites [pr0n] and remembered this thread, so I thought I'd mention it.

=RT=
Logged
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #7 on: November 13, 2007, 06:35:50 PM »

the interesting thing about pixel tracking is that you can track users across multiple, unrelated sites, without them knowing it really. Thats what the ad networks do, and im sure thats what google does.

but technically, for what i THINK you are asking.

that obviously pulls the whole page from the porn site, but the user never sees it.

If you are talking about doing a cookie, for a site you own and control, and you control how the cookies are dispensed, you just have the image call an executable page, and set cookies the same way you normally would for a visitor.

If your talking about crafting a cookie on behalf of a site you don't control, you can't anymore, at least that I know of.
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
JasonD
Expert
****
Offline Offline

Posts: 100


View Profile
« Reply #8 on: November 22, 2007, 06:53:33 AM »

P3P
Logged
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!