tags:

views:

307

answers:

4
+2  Q: 

Difference between http://example.com and http://www.example.com?

For sessions and cookies, is there a difference between example.com and www.example.com?

I have a very strange problem with our web application

The privat web is: private.example.com The public web is: example.com

For some reasons outside my control www.example.com is allways redirected to example.com I guess this is the setup on the server.

The problem is when I log in to the admin console, and open a new tab and requests the public site, the log in session is lost.

This only happens in IE 7

After some diging I found this site:

http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx

See Q3

Can it be that the session set in admin(private.example.com) is deleted when I access the public site? Since the server is redirecting me to example.com?

I think we do not specify the domain part when setting the cookie (Java)

As I said, this only happens with XP SP3 and IE7

Anyone who can help me, or correct my understanding of the IE stuff.

A: 

If you set a cookie for example.com it should be sent to www.example.com and private.example.com, but if you set a cookie for private.example.com it should not be sent to example.com. Some sites set all their cookies against www.example.com and serve static content from static.example.com or another domain so cookies are not needlessly sent along with requests for static content.

See also http://developer.yahoo.com/performance/rules.html#cookie%5Ffree

joeforker  2009-09-09 20:08:47
Are you sure? Sending a cookie for a subdomain would be a security vulnerability since nothing says that the subdomain is controlled by the same authority.
bortzmeyer  2009-09-10 07:48:54
Yes I'm sure. Check out RFC 2019: http://www.ietf.org/rfc/rfc2109
joeforker  2009-09-10 12:54:49
BTW, RFC 2109 (and not RFC 2019) has been replaced since, by RFC 2965.
bortzmeyer  2009-09-11 07:11:43
+1  A: 

Cookies are always set on a subdomain rather than the domain itself, when being created. You'll have to specifically set up the cookie to point to example.com when created. We had the same problem with admin.example.com and dealer.example.com login cookies.

Brisbe42  2009-09-09 20:09:03
+1  A: 

Yes, cookies are domain and even sub-domain specific. So this is the problem. For consistency's sake, I'd try to find a way to keep it on the same sub-domain.

You said the redirect from www.yourdomain.com to yourdomain.com is outside your control. Is that because you don't have access to the server? If so, you could attack it from another angle. Instead of preventing the redirect, you could set up a global 301 redirect rule so that every user who goes to www.yourdomain.com is instantly redirected to yourdomain.com (kinda like StackOverflow.com). That way it remains consistent on every page of the site.

There are many different ways to accomplish this. But if by chance you're using .NET, see my answer to this question: http://stackoverflow.com/questions/1246041/setting-up-http-redirect-for-seo-in-iis7/1246342#1246342

That's a pure .NET code solution that requires no additional modules so it'd work even if you don't have access to the server. Actually that answer is for the reverse scenario (non-www to www) but it could easily be modified for this task.

Steve Wortham  2009-09-09 20:09:03
Yes, the system administrator is redirecting http://domain.com to http://www.domain.com and it is now working. We will update the code to add the domain attribute.
 2009-09-12 11:18:08
Even there where multiple flaws here, the funny thing is that it was only IE 7 that failed.
 2009-09-12 11:19:12
I'm not sure why only IE7 failed. But I'm glad this worked for you.
Steve Wortham  2009-09-14 15:50:22
I think the answer is in the msdn blog mentioned in the question
 2009-09-17 18:43:56
A: 

Domains and sub-domains are independent of each other when it comes to cookies. I would check your DNS records to see where your A records actually point, then look at your webserver to see how the subdomains are interpreted. Sometimes servers are configured to treat subdomains as url redirections, especially in large hosted solutions.

You might also want to check if the Java equivalent of the ASP property 'Response.Cookies("UID").Domain' is set somewhere along the line.

entens  2009-09-09 20:12:50

related questions

How do I setup an MX record for a sub-domain?
Wildcards in a hosts file
Best DNS with API access.
How to gain SSL load balancing!!!
How do I get a list of all subdomains of a domain?
Using glibc, why does my gethostbyname fail after I/DHCP has changed the DNS server?
How does my shared host's nameserver resolve http://servername.com/~username/ to my top level domain?
Regular expression to match hostname or IP Address?
Can I lookup the IP address of a hostname from javascript?
DNS- Route DNS for subfolder to different server?
Python + DNS : Cannot get RRSIG records: No Answer
Hosting a website on your own server
Does a caching-nameserver usually cache the negative DNS response SERVFAIL
Blocking part of a website
How can I find the current DNS server?
How to use getaddrinfo_a to do async resolve with glibc
Setting Nameservers - how?
Redirect from domain name to a dotted quad hosted box
Redirecting ".local" subdomain to unicast DNS
Does the PHP mail() function work if I don't own the MX record
How do I find the authoritative name-server for a domain name?
How to redirect siteA to siteB with A or CNAME records
How do I prevent dnsmasq from appending my domain name to invalid domain requests?
Reverse DNS in Ruby?
How to make subdomain user accounts in a webapp