Let's say you have www.domain.com which writes a cookie. You need that cookie to be accessible by a sub domain of your original site: other.domain.com. To enable this, the cookie that is written must not include the specific sub domain in the domain property of the cookie (www). The cookie's domain must be sub domain-less, and begin with a period (.). This then permits the browser to include the cookie in requests to all sub domains, permitting each sub domain to read the cookie content.
Basically, the cookie's domain must go
From this: www.domain.com
From this: www.domain.com
To this: .domain.com
The most obvious way to achieve this is to hard code the domain value when writing the cookie - but that always feels wrong and it doesn't help when running on localhost. Nor is it desirable if you want to change your domain.
The answer I came up with is an extension method that makes use of the requested url. That way, you don't ever have to worry what domain you're running under: you'll always get just the the sub domain safe version. It also takes care of a locally hosted domain. Enjoy.
Edit 1: Ed has pointed out the comments that asp.net will read the most explicit cookie first. So to be wary of implementing this approach in a site with already existing cookies that do include the sub domain.
Edit 2: Be wary of this approach when using an integrated cloud hosting provider such as AppHarbor. AH Applications are given a url that varies only in the sub domain on the main AppHarbor domain. E.g the application FooBar on AppHarbor is hosted by default on foobar.apphb.com. Using the technique above would allow any other site hosted in AppHarbor so read the client cookie! To mitigate this you can apply your own hostname to the application and make it canonical so that your site cannot be accessed from the original url. Indeed, its also a good reason not to put sensitive information in the cookie!
Edit 2: Be wary of this approach when using an integrated cloud hosting provider such as AppHarbor. AH Applications are given a url that varies only in the sub domain on the main AppHarbor domain. E.g the application FooBar on AppHarbor is hosted by default on foobar.apphb.com. Using the technique above would allow any other site hosted in AppHarbor so read the client cookie! To mitigate this you can apply your own hostname to the application and make it canonical so that your site cannot be accessed from the original url. Indeed, its also a good reason not to put sensitive information in the cookie!
Nice clean example.
ReplyDeleteOne thing to be careful of here - asp.net will always take the most explicit cookie value first (e.g. on the site 'www.domain.com', a cookie for 'www.domain.com' will be considered more relevant than '.domain.com').
This won't be an issue on fresh sites that always implement this method, but be mindful if converting from a site you already have established - so if you were running with 'www.domain.com' with existing users and then implement this code going forward with both the 'www' and 'other' version your users could end up with two cookies which may have some big implications.
Also remember to change the value in your web.config for any session based cookies written by asp.net out of your control.
Thanks Ed, good to know! Will update the post. What's the web.config setting you mention? Sounds out of scope if you're just writing your own cookies.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteOops, HTML tags messed up my previous post:
ReplyDeleteYeah, only relevant for session cookies
<system.web>
<httpCookies domain=".domain.com"/>
</system.web>
Got there in the end!
Thanks,
DeleteIt work's for me
This line: if (context.Request.IsLocal)
ReplyDeleteIs Supposed to be if (!context.Request.IsLocal)
Also: "by design domain names must have at least two dots otherwise browser will say they are invalid"
ReplyDeletehttp://stackoverflow.com/questions/1134290/cookies-on-localhost-with-explicit-domain
You don't want to mess with the domain localhost, asp.net has this figured out and you will be able to access cookie across localhost websites already
//asp.net correctly handles localhost so all
//major browsers will accept cookie
if (!context.Request.IsLocal)
{
var domainSegments = context.Request.Url.Host.Split('.');
domain = "." + String.Join(".", domainSegments.Skip(1));
}
var cookie = new HttpCookie(name, value)
{
if(!string.IsNullOrEmpty(domain)
{
Domain = domain
}
};
Thanks sweetog for pointing out those errors, I've updated the gist.
DeleteYou can dramatically increase your net worth by increasing your ability to Quavo Net Worth Appreciation is a human emotion and it's no accident that it's very much interlinked with the financial term.
ReplyDeletecelebrity Net Worth
ReplyDeleteBeyonce Net Worth
Future Net Worth
Gigi Hadid Net Worth
Ksi Net Worth(youtuber,Actor,Rapper)
Anushka Sharma Net Worth
Shahrukh Khan Net Worth
Young Thug Net Worth
Happy New Year 2019
Happy Krishna Janmashtami 2018
It was really a nice post and Thanks for the info
ReplyDeleteDot Net Online Training Bangalore
Nice blog, keep more updates about this type of information. Visit for the best Website Designing and Development Company in Delhi.
ReplyDeleteSEO Service in Delhi
Get Mutual Fund Investment Schemes by Mutual Fund Wala and know about the best investment platform for you, to get profit.
ReplyDeleteBest Performing Mutual Fund
Magnificent data, visit our page way of life magazine to get the best style and way of life magazines.
ReplyDeleteLifestyle Magazine
Nice article… very useful
ReplyDeletethanks for sharing the information.
service mapping training
Wow!!Great post. Thanks for sharing this informative article. Keep it up.
ReplyDeleteiNeedTrip provides best tour packages from India to different International destinations for Honeymoon & Holidays.
Best Travel Company in Ghaziabad
Travel Agents in Ghaziabad
Bali Holiday Packages
Singapore Holiday Packages
Mauritius Holiday Packages
Maldives Holiday Packages
Dubai Holiday Packages
I simply wished to thank you very much again. I do not know the things that I would have used without the whole aspects of that theme. Completely was the hard situation in my position, nevertheless coming across the well-written avenue you resolved it forced me to leap over fulfillment. putlocker I'm just happier for this service and so trust you realize what a great job that you're getting into educating people today with the aid of your web page. I'm certain you have never met all of us.
ReplyDeleteMostly I use to wait for informative article on daily bases to get something new, but today i found your blog very interesting and unique, providing the information helpful to others. Keep it up and waiting for your new updates thanks. We offer multiple services in digital marketing, some of our services are:
ReplyDeleteDigital marketing Company in Delhi
SMM Services
PPC Services in Delhi
Website Design & Development Packages
SEO Services Packages
Local SEO services
E-mail marketing services
YouTube plans
Digital Marketing Service in Delhi
data engineer exam questions
ReplyDeleteazure admin exam questions
scrum exam questions
data fundamentals exam questions
data analyst exam questions
Best Casinos Near Washington, D.C. (Mapyro)
ReplyDeleteThe Best Casinos Near Washington, D.C. · 안성 출장샵 Golden Nugget Casino and Hotel · Harrah's Cherokee Casino & Hotel · Caesars Palace Casino 통영 출장안마 & Hotel 대전광역 출장샵 · 원주 출장안마 MGM Grand Hotel & Casino · Wynn 군포 출장마사지