How should I go about creating a cookie that can be read on my sites URL, and all subsites.
i.e. cookie called "myCookie" created on http://www.mysite.com/
Once created, it can then be read on http://site1.mysite.com/ and http://site2.mysite.com/ etc etc.
The above scenario should happen if the user has opted to "remember" their cookie.
I am assuming that if the cookie isn't persisted, it will be "lost" when the change site.
The above sites are in their one IIS entries, and in my case, completely different servers.
Cheers!
EDIT:
I created my cookie on the sub-domain, so that fire cookie reads its domain as ".mysite.com".
The mainsite doesn't recongise this cookie, but I think it is their site that needs to change.
Create the cookie so that my site can read it,
Be able to read the cookie is my site creates it.
You are going to need to fix your cookie domain on your PHP site. The subsites will not be able to read your cookies unless you do that. Since you are saying that your main site is in PHP and the cookie domain is "www.mysite.com", this will need to be done on the PHP side.
ini_set('session.cookie_domain', 'mysite.com');
You are not going to be able to read it otherwise.
Related
I've run into a problem and I'm not sure how to go about fixing it. Here is the scenario.
A user visits my website (www.MyWebSite.com) and clicks on a button that puts a cookie on their computer. If I examined that cookie on their machine it would list the "host" as www.MyWebSite.com.
If the user then changes the URL in their browser to MyWebSite.com (without the www) reloads the page and then clicks on the button, a brand new cookie with the same name as the first cookie is created. The host of this cookie is MywebSite.com
Obviously this is not good - beside two cookies with the same name, only the cookie with the corresponding URL address is being read by my program.
Can I force cookies to be created with the www host and/or can I force the page to be www or what??? What and how is the best way to prevent this problem?
Cookie Creation using VB.net
Response.Cookies("AAA")("bbb") = strABC
Response.Cookies("AAA").Expires = DateTime.Now.AddDays(1)
Any help is greatly appreciated.
For (obvious) security reasons you can only read cookies that are set by the same domain the user requests. It doesn't matter if it is just a difference like in your example, or an entirely different domainname.
What you could do in this situation (it should improve your SEO as well), is redirect (301) all traffic from the site without www to the site with www.
If you're using IIS 7 or higher, you can find an example on how to do that with URL Rewrite here: http://weblogs.asp.net/owscott/archive/2009/11/27/iis-url-rewrite-rewriting-non-www-to-www.aspx
That's for security reasons. Any subdomain of a host is considered to be another realm, another world.
If you want your cookies to be sent to your subdomains too, then start the Host attribute of the cookie with a .. In other words, set your cookie for .MyWebSite.Com.
See Wikipedia for more information.
I have installed nopcommerce v 2.5 on abc.domainName.com and I have a wildcard SSL Certificate to different domain name but on Same server ex abc.domainNameSSL.com. So When I'm using it, When I transfer from non-secure page to secure page, I am losing my session.
So Can anyone tell me What is best way to pass session in this condition.?
Thanks in advance.
If you are authenticated on one domain and then transfering to another domain, you'll loose the session cookie because it can not cross domains.
For example if you are logged into abc.name.com and then transfer to another domain (i.e. abc.nameSSL.com), even if it is the exact same website you'll loose the session. The server is looking for the session cookie which was stored under abc.name.com. Now that you are on abc.namessl.com it can not find it. Thus you are not logged-in.
A work around would be to not change the root domain (name.com) and instead do something like abcssl.name.com. You'd have to set up a domain wildcard for the session cookie, but it would work.
i have an asp.net website http://www.site.com. This web app is also running on http://subdomain1.site.com and http://subdomain2.site.com. Now i want to set authentication cookie in such a way that http://site.comand http://www.site.comshare authentication cookie but it should not be shared by http://subdomain1.site.com. similarly, http://www.domain1.site.com and http://domain1.site.com should share cookie but it should not be shared by http://domain2.site.com or http://www.domain2.site.com. How can i handle this with asp.net?
By default, cookies are associated with a specific domain. For example, if your site is www.contoso.com, the cookies you write are sent to the server when users request any page from that site. (This might not include cookies with a specific path value.) If your site has subdomains—for example, contoso.com, sales.contoso.com, and support.contoso.com—then you can associate cookies with a specific subdomain.
Response.Cookies["domain"].Domain = "support.contoso.com";
Normally a cookie set on contoso.com will be accessed by all subdomain. but if you want to limit sub domain for the cookie you should manually set domain property for each domain you want them to access.
Regards.
I ended up using different cookie names on different domains as described in this article
I use session objects in my web application which are traced by ASP.NET session cookie internally as we all know. So access to that cookie is essential to have access to session objects. I want my asp.net application work under http:// and http://www or any subdomain (domain is unknown to me at development time).
Can't be done. The session cookie only works for 1 domain and 1 domain only.
You could, however, write your own session management system and maybe accomplish shared session that way. I still don't think you'd be able re-use the cookie because the browser won't even send it in the first place.
After some more thought I've decided that I'm not sure. :) Perhaps if both subdomains map to the same ASP.NET application you could get share session to work. All you'd have to do is set your cookies as such:
<httpCookies domain=".maindomain.com">
If the different subdomians don't map to the same app, I think you'd definitely have to write your own session management.
Clearly, at this point you should take everything I've written with a grain of salt. I'm only leaving my answer up for you to get some ideas and so that people may comment on the correctness of it.
Why don't you leave domain field empty? That way you won't bind your cookies to some specific domain and will be able to play well whatever the domain of your site will be.
I'd like to remove the cookies of another site from users on my site. Is there any way to access the cookies from different domains.
No, the same origin policy forbids that. You can only view or set cookies that you set and that are valid for the current URL.
No, of course not. That would be terrible. How would you like it if any site you went to could just read your stored password to any site you have saved?
Try it and Google will block your site from Chrome and your whole site will end up being blacklisted as it appears to contain Malware! While it's not illegal, it's a kind of behaviour that makes you as popular on the Internet as the average spammer...
Furthermore, the storage of cookies depends on the browser that is used by the client. You don't have any control over that.
However, if the other site has an URL that will remove the cookie, you can inline that URL in an IFrame on your site so visitors of your site will call the cookie cleaner from the other site, thus clearing their cookie in a valid way. The Same Origin Policy will apply in this case since it's the original site that clears it. But if the other site offers no such functionality then it won't work...
The only place I can think that this you'd need this would be if you owned many domains, and you log in on one domain, you want to log off in another domain.
In php, the "setcookie" function has a way to specify a domain. You should put in the domain you wish for the cookies to be modified under. Then when you can erase/modify the cookies across all those domain.
Otherwise though, the answer is no, you cannot modify a cookie on another domain unless it gave you permission to modify such cookies.
Wow, I certainly hope there's no way to do this! If there is a way, it's a bug in the browser security.
Obvious follow-up questions: Is there any way I can set something in a user's browser that will prevent him from accessing a competitor's site? Is there any way I can cause other people's web servers to explode and kill everyone in the building?