The IM18+ system uses a simple but effective cookie-based approach for federated age verification. Here's how it works technically:
age_verifiedtrue (when verified).im18.appLaxtrue (HTTPS only)Partner site includes iframe pointing to verify.im18.app
<iframe src="https://verify.im18.app/api/check-anonymous.php"></iframe>
Iframe checks for age_verified cookie on im18.app domain
$verified = isset($_COOKIE['age_verified']) && $_COOKIE['age_verified'] === 'true';
Result sent to parent via postMessage API
parent.postMessage({verified: true, source: 'im18plus'}, '*');
Cookies set on .im18.app domain only, preventing partner sites from manipulating verification status
Secure flag ensures cookies only transmitted over encrypted connections
Lax setting prevents CSRF attacks while allowing legitimate cross-site usage
30-day expiration ensures periodic re-verification
<?php
// Partner site integration
echo '<iframe id="age-check" src="https://verify.im18.app/api/check-anonymous.php" style="display:none;"></iframe>';
?>
<script>
window.addEventListener('message', function(event) {
if (event.origin === 'https://verify.im18.app') {
if (event.data.verified === true) {
// User is verified - show content
document.getElementById('adult-content').style.display = 'block';
} else {
// Show verification form
window.open('https://verify.im18.app/verify.php', '_blank');
}
}
});
</script>No personal information is stored in cookies. The system only tracks verification status, not identity or personal details.