Suppose I have a cookie that is set for .domain.com, and my subdomain is sub.domain.com. Can I delete cookies that are set for the main domain? I know it is possible to read them, but is it possible to delete these cookies, or overwrite their values?
Yes, a subdomain can set/expire a cookie for the main domain, but the main domain cannot set/expire a cookie for a subdomain. See RFC 6265 Sections 5.1.3, 5.3 (see point #6), and 8.6. Section 8.6 in particular describes how a subdomain can set a cookie for the main domain and have it affect a sibling subdomain.
Related
I have a cookie generated on a domain www.foo.bar that I need to share with another website located on www.something.com.bar.
Both sites are hosted on the same server.
Can I do that, and if yes, how?
Thanks.
No, you cannot share cookies across domains. The browser will only send a cookie to the domain (or sub-domains there of) that initially set it.
Read up on the Same origin policy / Cookie policy
If I store a cookie or set a session associated with http://mydomain.com, the same cookie or session will not be picked up on http://www.mydomain.com. I am putting down http://mydomain.com as my default URL.
Will Google Analytics track both the www and non-www domains as one in this case?
If you set your own cookie with a domain of "mydomain.com", then it will only be visible on that domain (no subdomains). If you set your own cookie as ".mydomain.com" (prefix it with a dot), then it will be visible "mydomain.com" and any subdomain of mydomain.com.
GA by default sets its cookie on the exact domain, so if you are on "www.mydomain.com" then it will set it for "www.mydomain.com" and it will not be visible on "mydomain.com" or some other subdomain. If however you specify to GA to use "mydomain.com" then it will be available on any subdomain. Note the lack of dot, which is not consistent with how you would normally set a cookie domain with your own code. This is because GA automatically prefixes a dot to it, within their own code.
For more info, refer to their document entry on Tracking Multiple Domains
I've run into a problem and I'm not sure how to go about fixing it. Here is the scenario.
A user visits my website (www.MyWebSite.com) and clicks on a button that puts a cookie on their computer. If I examined that cookie on their machine it would list the "host" as www.MyWebSite.com.
If the user then changes the URL in their browser to MyWebSite.com (without the www) reloads the page and then clicks on the button, a brand new cookie with the same name as the first cookie is created. The host of this cookie is MywebSite.com
Obviously this is not good - beside two cookies with the same name, only the cookie with the corresponding URL address is being read by my program.
Can I force cookies to be created with the www host and/or can I force the page to be www or what??? What and how is the best way to prevent this problem?
Cookie Creation using VB.net
Response.Cookies("AAA")("bbb") = strABC
Response.Cookies("AAA").Expires = DateTime.Now.AddDays(1)
Any help is greatly appreciated.
For (obvious) security reasons you can only read cookies that are set by the same domain the user requests. It doesn't matter if it is just a difference like in your example, or an entirely different domainname.
What you could do in this situation (it should improve your SEO as well), is redirect (301) all traffic from the site without www to the site with www.
If you're using IIS 7 or higher, you can find an example on how to do that with URL Rewrite here: http://weblogs.asp.net/owscott/archive/2009/11/27/iis-url-rewrite-rewriting-non-www-to-www.aspx
That's for security reasons. Any subdomain of a host is considered to be another realm, another world.
If you want your cookies to be sent to your subdomains too, then start the Host attribute of the cookie with a .. In other words, set your cookie for .MyWebSite.Com.
See Wikipedia for more information.
i have an asp.net website http://www.site.com. This web app is also running on http://subdomain1.site.com and http://subdomain2.site.com. Now i want to set authentication cookie in such a way that http://site.comand http://www.site.comshare authentication cookie but it should not be shared by http://subdomain1.site.com. similarly, http://www.domain1.site.com and http://domain1.site.com should share cookie but it should not be shared by http://domain2.site.com or http://www.domain2.site.com. How can i handle this with asp.net?
By default, cookies are associated with a specific domain. For example, if your site is www.contoso.com, the cookies you write are sent to the server when users request any page from that site. (This might not include cookies with a specific path value.) If your site has subdomains—for example, contoso.com, sales.contoso.com, and support.contoso.com—then you can associate cookies with a specific subdomain.
Response.Cookies["domain"].Domain = "support.contoso.com";
Normally a cookie set on contoso.com will be accessed by all subdomain. but if you want to limit sub domain for the cookie you should manually set domain property for each domain you want them to access.
Regards.
I ended up using different cookie names on different domains as described in this article
I've been reading some posts about web performance, one of the points is to
serve static content from a cookie-free domain, my question is:
Can I share cookies between, let's say example.com and www.example.com, while excluding static1.example.com, static2.example.com, etc?
Or do I need to set a different top level domain?
I know (or I think) that I could set the domain of the cookie to '.example.com', but
correct me if I'm wrong this shares the cookies across all sub-domains.
If you need to share cookies across subdomains you need to scope the cookie at the domain level (e.g. .example.com). When you do that the cookie is available to all the subdomains of .example.com.
For a cookie free static content domain, it is usually a separate domain (e.g. example_staticstuff.com). There is a default two connection limit per domain in HTTP 1.1, so having separate domains often helps speed up simultaneous downloads.
Your assumptions are correct :-)
You would have to set a cookie for each sub-domain you want to authorize with the full host-name. This creates additional HTTP header overhead and would be a maintenance nightmare :[