I’ve seen a lot of confusion about this lately, so I thought I’d make a quick writeup to explain how facebook does it. (I’ll also give a quick tip on how you can do it yourself.)
What Facebook Does
Facebook is in a unique position compared to many developers looking to set cross domain cookies: The user visits both facebook.com and the other website.
Facebook never actually sets cookies cross-domain, they only read cookies cross-domain. They set cookies on facebook.com when the user visits facebook.com and they set cookies on the other example.com (or any other website) when the user visits example.com.1
What about when the user is not logged into Facebook?
(This is how you can do it!)
If the user is not logged into Facebook when trying to use Facebook on example.com, then Facebook opens a popup window – not an iframe – to let the user log in.
A popup window has none of the cookie restrictions that iframes get; it can read and set cookies normally.
What about popup blockers?
Most popup blockers make a special exception for “intentional” popups – ones that occur as a direct result of a user’s click. When the user clicks the login button, the blocker allows the popup because the click indicates that the user wanted that popup.
If you need to support older browsers, you can include the excellent easyXDM library for iframe-parent communication. You might need to combine a popup + one or more iframes in some situations.
An alternate method for of cross-domain cookies: flash