tags:

views:

3196

answers:

6
Q: 

Sharing session across domain

Currently we are facing a problem with sharing a same session across subdomains. we are using Jboss server.

Users access the site corresponding to their locale say en_US that has unique domain name. A cookie is created corresponding to the domain. Users are allowed to go to other locales that have different domain name. The problem is that a new cookie is created for the other domain which loses the information stored in the previous session. We need to use the same session cookie across domains.

Ex domains : sample.au sample.co.uk sample.us

I asked to look into Iframe/p3p solutions.I am new to this concept. can you please guide me how to achieve this.

Thanks in advance

+3  A: 

Cookies can only be shared in domains if they are valid for a common higher level domain. So foo.example.com and bar.example.com can share a cookie that is set for example.com.

Gumbo  2009-02-04 14:23:54
+1  A: 

You need to set the domain for your cookie to your top domain pereceded by a dot, e.g. for subdomain1.domain.com and subdomain2.domain.com, you would the domain for the session cookie to: .domain.com.

In JBoss you should be able to override this for all the subdomains in the javax.servlet.http.Cookie class.

Wesley Mason  2009-02-04 14:25:33
A: 

http://stackoverflow.com/questions/401535/can-i-use-an-img-tag-to-send-cookies-across-domains

EthR  2009-02-04 14:35:25
+1  A: 

What you need is a single sign on service. You could roll you own for your sites A..Y by having a centralised site Z to manage the sessions/sign on.

  • user arrives in site A, doesn't present any session id
  • site A redirects user to site Z
  • site Z creates a session, perhaps after authenticating the user, and drops a site Z cookie, redirects user back to site A with a URL which contains an additional payload telling site A what the users session id is
  • site A drops a session cookie allow the user to continue to use their shared session on A

Now when the user goes to site B

  • site B sees no session, redirects to site Z
  • site Z sees it's already got a session for this person, directs them straight back to B with the session id payload
  • site B drop a session cookie, it's all good again.

To put it another way, your signal sign on service gives the user something that they can hang to (a session cookie) and also something they can pass to the participating site to prove they are authenticated.

Paul Dixon  2009-02-04 14:43:32
A: 

see

Sharing Cookies Between Domains

http://www.15seconds.com/issue/971108.htm

It seems to use the "Redirection" to translate cookies between the domains. But it is too complex. Just for a reference.

webfpc  2009-08-22 09:54:53
A: 

The second solution should be useful for across domain ..

http://www.tutorialized.com/view/tutorial/Cookies-Across-Domains/1486

But If you can please explain this in detail ..(COM object)

Gi Joe  2010-01-21 23:24:10

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?