This is pretty much a basic question since I got a bit confused
When we set a cookie with domain .mydomain.com refers to use the same cookie over subdomains, what if I do .test.mydomain.com does it mean urls like helloworld.test.mydomain.com will be able to re-use the cookie?
Yes, that's how it works. There's no special detection of what level the 'subdomains' are, everything is really a subdomain to the TLD at the least. What if you had a .co.uk address?
Here is an intersting article about sharing cookies across subdomains
15Seconds
Related
I have a cookie generated on a domain www.foo.bar that I need to share with another website located on www.something.com.bar.
Both sites are hosted on the same server.
Can I do that, and if yes, how?
Thanks.
No, you cannot share cookies across domains. The browser will only send a cookie to the domain (or sub-domains there of) that initially set it.
Read up on the Same origin policy / Cookie policy
Is there a way to share cookies across different domains and different applications (classic ASP and ASP.NET)
No, there isn't.
The issue is the cross domain one, rather than the asp.net/classic asp and is security reasons.
If the domains are subdomains you can share the cookies, provided you use a cookie path that both can access (ie. for the domain sub.example.com you can read and write cookies using the example.com domain).
You can share cookies via some behind the scenes communication between servers, or through querystrings.
Both are ill advised, unless the information in the cookies is harmless (but be aware that harmless looking data quite often isn't actually harmless).
Native support for accessing cookies is not possible cross domain, and probably will never be for security reasons.
you can use cookie convertor which save all the cookies in the share database and try to recreate them again.
I'd like to remove the cookies of another site from users on my site. Is there any way to access the cookies from different domains.
No, the same origin policy forbids that. You can only view or set cookies that you set and that are valid for the current URL.
No, of course not. That would be terrible. How would you like it if any site you went to could just read your stored password to any site you have saved?
Try it and Google will block your site from Chrome and your whole site will end up being blacklisted as it appears to contain Malware! While it's not illegal, it's a kind of behaviour that makes you as popular on the Internet as the average spammer...
Furthermore, the storage of cookies depends on the browser that is used by the client. You don't have any control over that.
However, if the other site has an URL that will remove the cookie, you can inline that URL in an IFrame on your site so visitors of your site will call the cookie cleaner from the other site, thus clearing their cookie in a valid way. The Same Origin Policy will apply in this case since it's the original site that clears it. But if the other site offers no such functionality then it won't work...
The only place I can think that this you'd need this would be if you owned many domains, and you log in on one domain, you want to log off in another domain.
In php, the "setcookie" function has a way to specify a domain. You should put in the domain you wish for the cookies to be modified under. Then when you can erase/modify the cookies across all those domain.
Otherwise though, the answer is no, you cannot modify a cookie on another domain unless it gave you permission to modify such cookies.
Wow, I certainly hope there's no way to do this! If there is a way, it's a bug in the browser security.
Obvious follow-up questions: Is there any way I can set something in a user's browser that will prevent him from accessing a competitor's site? Is there any way I can cause other people's web servers to explode and kill everyone in the building?
I've been reading some posts about web performance, one of the points is to
serve static content from a cookie-free domain, my question is:
Can I share cookies between, let's say example.com and www.example.com, while excluding static1.example.com, static2.example.com, etc?
Or do I need to set a different top level domain?
I know (or I think) that I could set the domain of the cookie to '.example.com', but
correct me if I'm wrong this shares the cookies across all sub-domains.
If you need to share cookies across subdomains you need to scope the cookie at the domain level (e.g. .example.com). When you do that the cookie is available to all the subdomains of .example.com.
For a cookie free static content domain, it is usually a separate domain (e.g. example_staticstuff.com). There is a default two connection limit per domain in HTTP 1.1, so having separate domains often helps speed up simultaneous downloads.
Your assumptions are correct :-)
You would have to set a cookie for each sub-domain you want to authorize with the full host-name. This creates additional HTTP header overhead and would be a maintenance nightmare :[
I know the security risk associated and have brought it up with the business, but they want to have their 5 domains to share the login cookie.
We are using and have no plan to stop using ASP.Net Membership and Profiles. Is this possible? A hack would even be greatly appreciated.
It is not possible with out of the box ASP.NET.
Forms based authentication is based on a cookie and cookies can only be set to a specific domain.
If you want true cross domain (not sub domains) shared authentication, you need a Single Sign On solution.
I've rolled my own and it's relatively simple. The basic principle is that you have a master domain which holds your authentication cookie (ticket). You then redirect to that domain from all other domains. It's not really pretty, but event Microsoft Passport worked that way.
You can find a lot of examples on the net, take a look at these two links:
Authentication cookies
Cross domain authentication
You may setup all these domains as sub-domains for your company:
www.company.com
shop.company.com
sales.company.com
research.company.com
..
then you will be able to set cookie to the parent domain and it will be visible for all sub-domains.
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
cookie.Domain = ".company.com";
Repsonse.Cookies.Add(cookie);
Regards,
Max Chernyshov
http://prontocoder.com
Not only with ASP.Net is this not possible, but not at all. Cookies are always domain-specific - no commercial browser will work any other way. This is by design and very much necessary to prevent widespread abuse of cookies.
Muerte pointed you into the right direction (single sign-on).