Cross domain cookie access (or session)

asp.net cookies cross-domain subdomain
37,586

Solution 1

There are quite a few ways to share session data or cookie data across domains. The simplest is to share it on the server side through a shared data store. But you would not be asking this question if it were that easy.

The other way to do this is equally simple. The domain one.com contains some session data say name=aleem and id=123 and wishes to pass this along to two.com. It will follow these steps:

  1. Make a call to two.com/api/?name=aleem&id=123
  2. When two.com gets the data via query parameters, it creates a cookie with the data. This cookie will be stored under the two.com domain.
  3. two.com will then redirect back to the REFERER which in this case happens to be one.com

This is a simplified scenario. The domain two.com needs to be able to trust one.com and not only that but it needs to know that the request is authentic and not just crafted by the user so you need to use public/private keys to mitigate this.

Solution 2

By default, all cookies for a site are stored together on the client, and all cookies are sent to the server with any request to that site. In other words, every page in a site gets all of the cookies for that site. However, you can set the scope of cookies in two ways:

  1. Limit the scope of cookies to a folder on the server, which allows you to limit cookies to an application on the site.
  2. Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie.

You can learn more here.

Solution 3

The comments about the cookie being set for the domain to allow subdomains to receive that cookie give you that side but what's missing is the consistency of session.

I think this is very much like the problem of maintaining state across servers in a farm and the solution is probably to ensure that your session store is consistent across both sites (if they are not server from the same 'web site' in IIS). You can move the Session store into SQL Server (HOW TO: Configure SQL Server to Store ASP.NET Session State) which would probably serve the purpose as each site would query the same store when looking for the session data related to the cookie they've been presented with.

I hope that gets you on the right track.

Solution 4

If you have the ability to set up a common subdomain, you can do this:

In your subdomain html files, include a javascript file at the top like this:

<script src="http: //common.domain.com/check.asp"></script>

In check.asp, look for your logged_in cookie and if not present, show a page say, http://common.domain.com/login.asp using something like

<%
if (cookie_not_found){
%>
location.href = "http: //common.domain.com/login.asp";
<%
}
%>

Once a person submits username password, submit it back to the same login.asp and set the session cookie, (which will be set in common.domain.com domain) and then redirect to http://subdomain1.domain.com.

What will happen now is, a call will be made to the embedded "common.domain.com/check.asp", and cookies for common.domain.com will be sent by the browser along with the request. So you will know whether your session is valid or not, even when you are in subdomain1.domain.com.

Share:
37,586
mtranda
Author by

mtranda

Updated on July 05, 2022

Comments

  • mtranda
    mtranda almost 2 years

    While I realise that this is usually related to cross site scripting attacks, what I'm wondering is how can a session remain valid throughout multiple subdomains belonging to a single domain (example: a user logging in only once, and being able to access both subdomain1.domain.com and subdomain2.domain.com with the same session). I guess I first need to understand how it works, but so far I haven't been able to find much that would be of any relevance.

    But then again, maybe I wasn't asking the right question.

    Thanks in advance :)

  • Shoban
    Shoban almost 15 years
    But you edited it again(?) I dint see the second code first time ;-)
  • Lazarus
    Lazarus almost 15 years
    Surely, irrespective of language used for demonstration, any answer which demonstrated that the basic requirement of the question was possible has value. You at least know that you should keep following the path you are on. ;)
  • aleemb
    aleemb almost 15 years
    You cannot get or set a cross-domain cookie. This solution won't work.
  • aleemb
    aleemb almost 15 years
    The title says "Cross domain cookie access (or session)". It's ambiguous I guess. You are right in your answer. I take that back =)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting cookies for multiple sub-domains
Cross Domain Cookies Problem (ASP.NET)
Cross Domain Cookies With FormsAuthentication
ASP.NET Cookie Update Value Without Updating Expiration?
Cross Domain Authentication using DirectoryServices
How to set cookie in request header for REST service
Remove and delete all cookies of my ASP NET c-sharp application
Setting a cookie on a subdomain from an ajax request
Using the antiforgery cookie in ASP.NET Core but with a non-default CookieName
How to store cookie permanently