tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Gibson <jgib...@shakethebaby.com>
Subject Re: Domain Names for Session Cookies
Date Sat, 17 Apr 2004 19:28:13 GMT
Thanks.

I tried using URL rewriting that redirects www.foobar.com -> foobar.com 
and it works pretty well as long as people don't try to submit requests 
commands to www.foobar.com.

However the problem with the cookies is that they are NOT generated in a 
  hierarchical fashion.  If a session cookie is created by foobar.com 
then it will set the domain to "foobar.com" instead of ".foobar.com". 
If the former is used then the browser will not send cookies to 
www.foobar.com or baz.foobar.com, etc.  However if the later is used, 
then the browser will send cookies to subdomains of foobar.com.

But this is all moot for now because URL rewriting should fix problems 
for everyone except for those determined to break the program.

John

Tim Funk wrote:
> no. But the web client (browser) should be sending cookies in the most 
> specific to least specific order so this should not be an issue.
> 
> An alternative is to use URL rewriting.
> 
> -Tim
> 
> John Gibson wrote:
> 
>> I'm running Tomcat 4.0.6 with Apache 2.0.46 on RedHat Advanced Server 
>> and I'm running into a problem with the domain for session cookies.
>>
>> I have a host setup as foobar.com with an alias of www.foobar.com.
>> When a client visits foobar.com I create a cookie-based session for 
>> the user.  Everything behaves correctly as long as all of the user's 
>> requests to the server begin with foobar.com, however if the user 
>> visits www.foobar.com the browser will not send the session cookie and 
>> vice-versa.  As far as I can tell this is because the session cookies 
>> that Tomcat creates have a domain that matches the requested domain. 
>> However, if the cookies were created with a domain of ".foobar.com" 
>> then they browser would send the cookie to both http://foobar.com and 
>> http://www.foobar.com.
>>
>> Is there any way to override the cookie domain that Tomcat uses when 
>> it creates a cookie?
>>
>> If there is not a way to do that, then should I forego the usage of 
>> Tomcat's session cookies and create my own cookies for session 
>> management?  Is there a better way?
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message