We are using ColdFusion 9.0.1 and are having issues with the JSESSION cookie being shared between a domain and a sub domain. They are two different websites and we do not wish to share any session information between them.
How do I add a value to the domain field of the jsessionid cookie? I've seen some examples of people creating a second jsessionid cookie manually but I would rather stick to just one.
I don't think the domain is set on the cookie by default which should limit it to the same domain, perhaps someone has edited your jrun-web.xml file and hard coded a value (look for cookie-domain tag)? See http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm for more info.
Related
i'm facing a few problems when i authenticate usign cookies to store the token, those cookies should be delivered between subdomains, for example, i have my auth code deployed in a subdomain named services.mydomain.co and my frontend in subdomain named apps.mydomain.co,
when someone authenticates, then my auth code creates a cookie with the tag Domain like this: Domain=.mydomain.co in order to enable it to be delivered between all subdomains of mydomain.co, but the cruel reallity is that it is not working, even the browser isn't storing the cookie.
the cookie it's successful delivered in response header after authenticate but the browser isn't storing it.
im creating the cookie this way:Set-Cookie: myKey=myKeyValue;path=/;httpOnly;Max-Age=1555520000;Domain=.mydomain.co;sameSite=none
hope someone could geve me an advice and sorry for bad english.
From your example, you are setting SameSite=None without Secure. This is invalid and browsers (Chrome, Edge, Firefox, etc.) will begin rejecting this.
However, you should check DevTools in Chrome on your site to see the specific error. You can check both the Console and individual requests in the Network tab to see issues with a given cookie.
You can find more detail on https://www.chromium.org/updates/same-site/test-debug
If example.com contains multiple subdomains and all of it resides in a single UA property, assuming subdomain tracking is properly set up in gtm (IE cookieDomain is set to auto and the root domain is on the referral exclusion list for google analytics), should more than one _ga cookie exist on page load when visiting subdomains?
For example, my gtm snippet is included across all subdomains and it fires a pageview UA tag properly and I visit status.example.com, should I see a _ga cookie with an example value of GA1.3.605803990.1475857272 with the status.example.com domain scope and a _ga cookie with an example value of GA1.2.1926999794.1476293458 with the example.com domain scope?
Or should there always be one _ga cookie fixed at just the root domain? I'm trying to determine why my google analytics is still reporting self referrals for both my root domain and subdomain.
If you want to track your domain and subdomains within a single property there should be a single _ga cookie. To make sure there is just one cookie the cookie domain should be set to "auto" when you create the tracker
ga('create','UA-XXXXXXX-X','auto');
which will make sure the cookie is set at the highest possible 'level'. If you get the code from the GA property settings the "auto" setting should already be in there, if you create the tracker via Google Tag Manager you need to explicitly set this via the "set fields" option where you set the field name to "cookieDomain" (GTM has an autosuggest feature that will help with the field names) and the value to "auto".
What if I make cookie for my domain (www.mydomain.com) and name it "kolac" = $_COOKIE["kolac"].
But what if some other site has cookie that is named the same as mine. Is it going to replace my cookie or not? I don't understand how it works.
And one more question. What pieces of information can I store in my cookie?
A cookie can only be set and is only accessible to the domain of the request so if there is a cookie set by a different domain with the same key as your cookie, you will not be able to access it. Also, it will not replace your cookie since those two values are stored in physically different files on your computer and can only be accessed by the domain that created the cookie.
A cookie can only store text information up to 4K for the entire cookie. You can still serialize other types of data into text, but generally you only want to store basic text values in a cookie.
Very simple question here. Knowing about cross domain cookie security, does the same apply to sub domains?
EG. Should I be able to read a cookie set on some.abc123.com from the sub domain of www.abc123.com?
Cookie domains are suffix matching, so cookies of www.abc123.com will not be sent on the site of some.abc123.com and visa versa.
To have cookies be sent on both domains you should use .abc123.com as the domain.
As an alternative set a cookie at the abc123.com level then set and read cookies from there.
see here
Setting cookies for multiple sub-domains
I have a cookie that is being set by Microsoft ISA. I want to check that the cookie exists from ColdFusion, but the cookie isn't listed in the cookie scope. The page I'm trying to read the cookie value from is using HTTPS. Why can't I read the cookie? All the non-secure cookies are listed in the cookie scope.
If the domain value of the cookie was set by another domain then it can't be read by your web application.
It would be a security breach if www.attackerwebsite.com could read session cookies from www.yourbank.com.
I think I've found the problem. The cookie is created by the ISA server as httpOnly. Does that mean the only way to access the cookie is from the server it was created on?
The definitive answer: the ISA server sits between the client and the web server, and it grabs the cookie and doesn't let go. I can access the cookie through ColdFusion from any machine on the domain that is not behind the ISA server. So the solution I came up with was to get the cookie value through an JSONP AJAX call to another machine in the domain.