How to Track your Users over Several Domains?

Track users over different domains is a recurrent issue while developing a substantial web solution. Use cases are countless:

• authenticate customers over different websites (Google-like single sign-on);
• cross-sell based on what they have visited previously on other websites;
• customize user experience;
• analytics.

Let’s say we are trying to build a single authentication between two domains: my-account.com and webmail.com.
We are considering the following scenario, following a specific user named Jack:

How can we get webmail.com to know that its users are already logged in on my-account.com?

Setting cross-domain cookies?

The first approach that comes to mind is to set a cookie on my-account.com users’ web browser as soon as they are authenticated on this website and to use these cookies later on webmail.com.
At first glance, this solution seems staight-forward: setting a cookie is easy and can be achieve within a few lines of codes using PHP or JS.

<?php setcookie("loggedIn", true);

Unfortunately, here we encounter our first problem: There is an important web concept called ‘Same origin policy’ that prevents one website to access another website resources through user’s browser.

Amongst other things, this rule specify that cookies are specific to a given domain. Nor webmail.com is able to read my-account.com related cookies, nor my-account.com is capable of writing its own on webmail.com.

And this for user security purposes: you don’t want a malicious page to get access my-bank-account.com session cookies.

So, how do we deal with this problem?

To read the full article: https://www.theodo.fr/blog/2016/10/how-to-track-your-users-over-several-domains/