tags:

views:

382

answers:

3
+4  Q: 

Cookie on an intranet domain

I have a dev server in our office that is behind the firewall. The hostname is franklin. We name all our servers after scientists or inventors.

When I set an HTTP cookie:

 Set-Cookie: user=kenny; expires=1245424860.11; Path=/; domain=franklin

The cookie doesn't set. I have tried the following with no luck.

.franklin
.franklin.local
franklin.local
.franklin.localdomain
franklin.localdomain

Do I have to set the hostname to something different or can I set this cookie through some magic I don't know already?

A: 

Are you setting the cookie from the right domain? You should access the website over http://franklin/ otherwise it wouldn't work (see: same origin policy).

dr. evil  2009-06-19 20:25:04
I can access it as http://franklin/
RogueFalcon  2009-06-19 20:27:23
+2  A: 

RFC 2109 says:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The value for the Domain attribute contains no embedded dots or does not start with a dot.
  • The value for the request-host does not domain-match the Domain attribute.

And also:

Domain Defaults to the request-host.

If your host is franklin:

  • Cookies with domain=.franklin will be rejected, because it has no embedded dot.
  • Cookies with domain=.franklin.local will be rejected, because it does not match the actual host name of your server.

The solution is to rename your hostname to franklin.local or franklin.<tld> and set the domain attribute of the cookie accordingly (domain=.franklin.<tld>). Alternatively (as you found out), do not specify the domain, and let the user agent fallback to the request host.

molf  2009-06-19 20:33:35
Great explanation! Thanks molf!
RogueFalcon  2009-06-19 21:14:31
A: 

I am having the same issue with an intranet site. I set the authentication cookie domain value to match the web server host name (excluding the servername e.g ".domain.lb1"), but everytime I attempt to login, the login screen just keeps re-oading as if the cookie was never issued. Removal of the doamin attribute allows the cookie to be issued but then limits my ability to use the authentication cookie in an SSO solution that spans multiple servers. Any thoughts on what the issue might be?

James  2010-02-17 22:09:16
I got it to work when I stopped setting the domain in the cookie. I just let the browser set it.
RogueFalcon  2010-03-12 22:03:20

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.