cookie domain getting changed, only one cookie with '.' one without - asp.net

I am explicitly setting a cookie domain so it is shared between the domain and a sub domain. Think mysite.com and payment.mysite.com. Sometimes I get two session cookies when I only have one specified. When looking in firefox the domains on the cookies are different, one is "mysite.com" and the other is ".mysite.com" how does this happen? I am setting the domain to mysite.com but it is trimmed from one.
I am using asp.net.
Thanks

It depens what you specify as a domain in setcookie function. Please take a look at the description in here http://php.net/setcookie.

Related

Cookies and subdomains for cookieless domains

I have set (I use PHP) my cookies' domain to be www.example.com - but will those cookies be sent back to the static.www.example.com? From what I've read already the answer is a depressing 'yes'.
The reason is that I'm trying to implement a static subdomain for CSS/images without resorting to buying an entire new domain (eg www.example-static.com)
From what I've read already the answer is a depressing 'yes'.
That's correct. If you set the cookie domain to www.example.com it will be sent to *.www.example.com.
Using static-www.example.com would work as expected and the cookie will not be sent to this subdomain.

How to respect "Serve static content from a cookieless domain" page speed rule in IIS6?

How to respect "Serve static content from a cookieless domain" page speed rule in IIS6?
To create a cookieless site (or subdomain, which is a very common best-practice) in IIS6/IIS7/IIS7.5 is simple : you need to tell the website that you are not to use cookies :) Which means in IIS terms, not to use a session.
This can be achieved in IIS6/IIS7 via two ways.
Modifying the Web.config file (my personal recommendation)
Using the IIS Manager GUI to find the setting and changing it.
IMPORTANT
Before you do any testing, you must must must clear all cookies (or all cookies for the domain u are testing) otherwise, they will get passed along even if u have done all the steps.
1. Via Config File
You need to define the session state to off.
<system.web>
<sessionState cookieName="What_ever" mode="Off" />
</system.web>
NOTE: Please note that the attribute cookieless (true|false) does NOT mean 'send cookies/do not sent cookies). That's for using sessions with/without cookies ... and passes some cookie guid into the url instead (if set to true).
2. Via Gui
Hope this Helps (i assume u know how to test that no cookies are working/not working...)
What this means is that your content needs to come from a domain that has no cookies attached to it. StackOverflow.com is an example of a site that does this. You will notice that all SO's static content comes from a domain called sstatic.net.
http://sstatic.net/stackoverflow/all.css
http://sstatic.net/js/master.js
This is so that the client and the server don't have to waste resources on actually parsing and handling cookie data. The good news is, you can use a sub-domain, assuming that you set your cookie path correctly.
Yahoo Best Practices for Speeding Up
Your Web Site
Use Cookie-free Domains for Components
When the browser makes a request for a
static image and sends cookies
together with the request, the server
doesn't have any use for those
cookies. So they only create network
traffic for no good reason. You should
make sure static components are
requested with cookie-free requests.
Create a subdomain and host all your
static components there. If your
domain is www.example.org, you can
host your static components on
static.example.org. However, if you've
already set cookies on the top-level
domain example.org as opposed to
www.example.org, then all the requests
to static.example.org will include
those cookies. In this case, you can
buy a whole new domain, host your
static components there, and keep this
domain cookie-free. Yahoo! uses
yimg.com, YouTube uses ytimg.com,
Amazon uses images-amazon.com and so
on.
Another benefit of hosting static
components on a cookie-free domain is
that some proxies might refuse to
cache the components that are
requested with cookies. On a related
note, if you wonder if you should use
example.org or www.example.org for
your home page, consider the cookie
impact. Omitting www leaves you no
choice but to write cookies to
*.example.org, so for performance reasons it's best to use the www
subdomain and write the cookies to
that subdomain.
create subdomain ( for example static.example.com ) and store all static content(images, css, js) here

Can subdomain.example.com set a cookie that can be read by example.com?

I simply cannot believe this is quite so hard to determine.
Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.
subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.
Can anyone clarify what the rules really are?
Yes.
If you make sure to specify that the domain is .example.com, then *.example.com and example.com can access it.
It's that principle that allows websites that issue cookies when somebody goes to www.website.com to access cookies when someone leaves off the www, going to website.com.
EDIT: From the PHP documentation about cookies:
domain The domain that the cookie is
available. To make the cookie
available on all subdomains of
example.com then you'd set it to
'.example.com'. The . is not required
but makes it compatible with more
browsers. Setting it to
www.example.com will make the cookie
only available in the www subdomain.
Refer to tail matching in the ยป spec
for details.
http://php.net/manual/en/function.setcookie.php
And it's not unique to PHP.

Setting cookies for multiple sub-domains

Is it possible to set a cookie for http://www.example.com from a PHP file located at https://secure.example.com? I have some code that was given to me, that appears to try and fails at this. I was wondering if this is possible at all.
Webpages can only set cookies for the second (or higher) level domain that they belong to.
This means that secure.example.com can read and set cookies for secure.example.com or .example.com, the latter of which can also be read and set by www.example.com
One last note: If the secure flag is set on a cookie, it can only be read and set over an https connection.
If you set the cookie domain to ".example.com", the cookie will work for all subdomains.

Cookies and subdomains

Can a cookie be shared between two sites on the same top level domain? Say www.example.com and secure.example.com ?
We are looking into implementing a cache for non-secure content, and need to segregate secure content to another domain.
What parameters does the cookie need? I'm using asp.net
Yes, you can. Use:
Response.Cookies("UID").Domain = ".myserver.com"
The easiest way to apply a cookie domain that can be shared across subdomains is to put it in your web.config:
<forms cookieDomain="example.com">
Yes, but beware don't set same-named cookies in various subdomains, as the resulting cookie appears to be random; instead, set one cookie in the .maindomain.com only (not in any .sub.domain.com)

Resources