Under domain cookie in question I mean cookie with domain like .domain.com.
I can read this cookie from any subdomain, but can I sett this cookie with new value from domain example.domain.com?
Related
We have a wild card domain hosted on azure. I've setup up subdomain.domain.com to rewrite to domain.com/subdomain. It all works fine.
However when I login to our identity server, once the login process is completed and I am redirected back to subdomain.domain.com it seems like the authentication token is lost.
I can't see how this can be possible. This issue happens with all our identity providers (google, Facebook, Microsoft live)
If I change the setup to use domain.com/subdomain then everything works as expected
The main issue is what type of cookie your identity server places,
It looks like your server places and domain specific cookie, and not a wildcard one.
Cookie domains
Common issue with the cookie for the authentication is the domain for the cookie. Similarly to the paths of the cookies, if the cookies are created on two different subdomains, then the cookie will only be accessible on the domain where it was created. For instance, your main application may be on www.domain.com, but you have Telligent Evolution running on cs.domain.com. If you create the cookie on www.domain.com, the browser will only send it to that domain, and it won’t be passed along when they navigate over to cs.domain.com.
The cookie can be carried over by setting the domain to “.domain.com”. Cookies don’t use the common “*” wild card. Simply use “.domain.com”. With this entry, the browser will not to pass the cookie when it goes over to cs.domain.com as well.
Like the path, the domain can be specified in either the web.config or through code. When setting the web.config file, it will only check for the authorization cookie. You must have this set for the site to correctly recognize the new domain level cookie:
<authentication mode="Forms">
<forms name=".CommunityServer" ... domain=".domain.com" />
</authentication>
The "domain" name is ignored by the FormsAuthentication.SetAuthCookie method, so you must manually set it on your login page when creating the AuthCookie. For example:
HttpCookie cookie = FormsAuthentication.GetAuthCookie(username, true);
cookie.Domain = ".domain.com";
Response.Cookies.Add(cookie);
If I store a cookie or set a session associated with http://mydomain.com, the same cookie or session will not be picked up on http://www.mydomain.com. I am putting down http://mydomain.com as my default URL.
Will Google Analytics track both the www and non-www domains as one in this case?
If you set your own cookie with a domain of "mydomain.com", then it will only be visible on that domain (no subdomains). If you set your own cookie as ".mydomain.com" (prefix it with a dot), then it will be visible "mydomain.com" and any subdomain of mydomain.com.
GA by default sets its cookie on the exact domain, so if you are on "www.mydomain.com" then it will set it for "www.mydomain.com" and it will not be visible on "mydomain.com" or some other subdomain. If however you specify to GA to use "mydomain.com" then it will be available on any subdomain. Note the lack of dot, which is not consistent with how you would normally set a cookie domain with your own code. This is because GA automatically prefixes a dot to it, within their own code.
For more info, refer to their document entry on Tracking Multiple Domains
Suppose I have a cookie that is set for .domain.com, and my subdomain is sub.domain.com. Can I delete cookies that are set for the main domain? I know it is possible to read them, but is it possible to delete these cookies, or overwrite their values?
Yes, a subdomain can set/expire a cookie for the main domain, but the main domain cannot set/expire a cookie for a subdomain. See RFC 6265 Sections 5.1.3, 5.3 (see point #6), and 8.6. Section 8.6 in particular describes how a subdomain can set a cookie for the main domain and have it affect a sibling subdomain.
Is it possible to delete cookie in http://domain.com from subdomain http://subdomain.domain.com
You can delete it if the cookie have been set from the domain, or the same subdomain.
When you make a cookie one of the parametres are the domain
Response.Cookies["nameof"].Domain
If you not set that parameter, then is get the domain that read from url.
If this parameter is with out subdomain domain.com then the cookie can be acceded from all subdomains.
If this parameter have subdomain, eg www.domain.com then can be acceded only from that one.
when I create a cookie for a domain, is it possible for me to set that this domain should be on both the www and non www domain?
I check for a cookie, and if not present I rediret to login page (its not a super secure thing). it seems when the user has a cookie, if the url changes to www. it gets redirected to login again.
When you drop the cookie specify .mydomain.com - note the leading period. That should work for both the root domain and the www subdomain.
#electronherders' solution works, but you should also consider canonicalising either the www or the no-www domain. Redirect visitors from one to the other, so there's only one correct URL for your site.