Very simple question here. Knowing about cross domain cookie security, does the same apply to sub domains?
EG. Should I be able to read a cookie set on some.abc123.com from the sub domain of www.abc123.com?
Cookie domains are suffix matching, so cookies of www.abc123.com will not be sent on the site of some.abc123.com and visa versa.
To have cookies be sent on both domains you should use .abc123.com as the domain.
As an alternative set a cookie at the abc123.com level then set and read cookies from there.
see here
Setting cookies for multiple sub-domains
Related
i'm facing a few problems when i authenticate usign cookies to store the token, those cookies should be delivered between subdomains, for example, i have my auth code deployed in a subdomain named services.mydomain.co and my frontend in subdomain named apps.mydomain.co,
when someone authenticates, then my auth code creates a cookie with the tag Domain like this: Domain=.mydomain.co in order to enable it to be delivered between all subdomains of mydomain.co, but the cruel reallity is that it is not working, even the browser isn't storing the cookie.
the cookie it's successful delivered in response header after authenticate but the browser isn't storing it.
im creating the cookie this way:Set-Cookie: myKey=myKeyValue;path=/;httpOnly;Max-Age=1555520000;Domain=.mydomain.co;sameSite=none
hope someone could geve me an advice and sorry for bad english.
From your example, you are setting SameSite=None without Secure. This is invalid and browsers (Chrome, Edge, Firefox, etc.) will begin rejecting this.
However, you should check DevTools in Chrome on your site to see the specific error. You can check both the Console and individual requests in the Network tab to see issues with a given cookie.
You can find more detail on https://www.chromium.org/updates/same-site/test-debug
If example.com contains multiple subdomains and all of it resides in a single UA property, assuming subdomain tracking is properly set up in gtm (IE cookieDomain is set to auto and the root domain is on the referral exclusion list for google analytics), should more than one _ga cookie exist on page load when visiting subdomains?
For example, my gtm snippet is included across all subdomains and it fires a pageview UA tag properly and I visit status.example.com, should I see a _ga cookie with an example value of GA1.3.605803990.1475857272 with the status.example.com domain scope and a _ga cookie with an example value of GA1.2.1926999794.1476293458 with the example.com domain scope?
Or should there always be one _ga cookie fixed at just the root domain? I'm trying to determine why my google analytics is still reporting self referrals for both my root domain and subdomain.
If you want to track your domain and subdomains within a single property there should be a single _ga cookie. To make sure there is just one cookie the cookie domain should be set to "auto" when you create the tracker
ga('create','UA-XXXXXXX-X','auto');
which will make sure the cookie is set at the highest possible 'level'. If you get the code from the GA property settings the "auto" setting should already be in there, if you create the tracker via Google Tag Manager you need to explicitly set this via the "set fields" option where you set the field name to "cookieDomain" (GTM has an autosuggest feature that will help with the field names) and the value to "auto".
So, we've got two domains like this subsubdomain.subdomain.domain.com and subdomain.domain.com
We need to use separate social apps for these domains, 2 cookies are set, 1 for each domain. The have equal names so lower domain has access to both cookies.
The problem is that instead of taking its cookie, lower domain takes cookie from upper one.
I thought browser supposed to choose cookie with most specific domain for current but somehow it doesn't. Is there a way to handle such situations?
We are using ColdFusion 9.0.1 and are having issues with the JSESSION cookie being shared between a domain and a sub domain. They are two different websites and we do not wish to share any session information between them.
How do I add a value to the domain field of the jsessionid cookie? I've seen some examples of people creating a second jsessionid cookie manually but I would rather stick to just one.
I don't think the domain is set on the cookie by default which should limit it to the same domain, perhaps someone has edited your jrun-web.xml file and hard coded a value (look for cookie-domain tag)? See http://livedocs.adobe.com/jrun/4/Programmers_Guide/techniques_servlet13.htm for more info.
I have a cookie that is being set by Microsoft ISA. I want to check that the cookie exists from ColdFusion, but the cookie isn't listed in the cookie scope. The page I'm trying to read the cookie value from is using HTTPS. Why can't I read the cookie? All the non-secure cookies are listed in the cookie scope.
If the domain value of the cookie was set by another domain then it can't be read by your web application.
It would be a security breach if www.attackerwebsite.com could read session cookies from www.yourbank.com.
I think I've found the problem. The cookie is created by the ISA server as httpOnly. Does that mean the only way to access the cookie is from the server it was created on?
The definitive answer: the ISA server sits between the client and the web server, and it grabs the cookie and doesn't let go. I can access the cookie through ColdFusion from any machine on the domain that is not behind the ISA server. So the solution I came up with was to get the cookie value through an JSONP AJAX call to another machine in the domain.