473,881 Members | 1,725 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Session Cookie not accessible across Sub-Domains

An ASP.NET session cookie set on "www.mydomain.c om" can not be accessed on
"search.mydomai n.com"; hence, a new session and cookie are being created on
every sub-domain.

This is occuring because ASP.NET always sets the Session cookie domain to
the full domain (e.g. "www.mydomain.c om") instead of the parent domain (e.g.
"mydomain.c om")

The problem with this is when the visitor goes to a different sub-domain
(e.g. "search.mydomai n.com"), this sub-domain can not access the previously
set Session cookie, and hence, has no idea a session has already been
created. Hence, a new session is created with a new cookie set to
"search.mydomai n.com". Now the visitor has two session cookies pointing to
two different sub-domains.

For the past couple of years, I've gotten around this by manually creating a
"ASP.NET_Sessio nId" cookie pointing to the parent domain (e.g.
"mydomain.com") . That way, all sub-domains have access to the same cookie and
the same session ID. However, this is a hack; I end up with multiple session
cookies pointing to "www.mydoma in", "search.mydomai n.com", and
"mydomain.c om"; not the best solution.

How can I tell ASP.NET to always set the Session cookie domain to
"mydomain.c om" so all sub-domains can read it? My research over the past
couple of years tells me this is impossible. This seems to be a major bug
that many people experience, however, I've heard no word of a fix nor any
comment on it from Microsoft.

Doug
Nov 19 '05 #1
7 7780
When initially setting the cookie

Response.Cookie s("domain").Val ue = DateTime.Now.To String
Response.Cookie s("domain").Exp ires = DateTime.Now.Ad dDays(1)
Response.Cookie s("domain").Dom ain = "mydomain.c om"

............... ..should do the trick.

I think its case sensitive at the browser.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:48******** *************** ***********@mic rosoft.com...
An ASP.NET session cookie set on "www.mydomain.c om" can not be accessed on
"search.mydomai n.com"; hence, a new session and cookie are being created
on
every sub-domain.

This is occuring because ASP.NET always sets the Session cookie domain to
the full domain (e.g. "www.mydomain.c om") instead of the parent domain
(e.g.
"mydomain.c om")

The problem with this is when the visitor goes to a different sub-domain
(e.g. "search.mydomai n.com"), this sub-domain can not access the
previously
set Session cookie, and hence, has no idea a session has already been
created. Hence, a new session is created with a new cookie set to
"search.mydomai n.com". Now the visitor has two session cookies pointing to
two different sub-domains.

For the past couple of years, I've gotten around this by manually creating
a
"ASP.NET_Sessio nId" cookie pointing to the parent domain (e.g.
"mydomain.com") . That way, all sub-domains have access to the same cookie
and
the same session ID. However, this is a hack; I end up with multiple
session
cookies pointing to "www.mydoma in", "search.mydomai n.com", and
"mydomain.c om"; not the best solution.

How can I tell ASP.NET to always set the Session cookie domain to
"mydomain.c om" so all sub-domains can read it? My research over the past
couple of years tells me this is impossible. This seems to be a major bug
that many people experience, however, I've heard no word of a fix nor any
comment on it from Microsoft.

Doug

Nov 19 '05 #2
Hi John,
Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?

I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own. I
do know how to write cookies and set domains, etc. My question is, how do I
get ASP.NET to set the correct domain wherever it set its own cookie?

Thanks,
Doug
"John Timney (ASP.NET MVP)" wrote:
When initially setting the cookie

Response.Cookie s("domain").Val ue = DateTime.Now.To String
Response.Cookie s("domain").Exp ires = DateTime.Now.Ad dDays(1)
Response.Cookie s("domain").Dom ain = "mydomain.c om"

............... ..should do the trick.

I think its case sensitive at the browser.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director


Nov 19 '05 #3
sorry I misread your question (its late here!!).

You can't share sessions across domains, nor applications natively - so it
will always set a new cookie as you move between domains. Because you can
share cookies across those applications (and between those domains) one
approach is to store your shared data in a database and use a shared domain
cookie to identify the data in the database.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:4F******** *************** ***********@mic rosoft.com...
Hi John,
Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?

I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own.
I
do know how to write cookies and set domains, etc. My question is, how do
I
get ASP.NET to set the correct domain wherever it set its own cookie?

Thanks,
Doug
"John Timney (ASP.NET MVP)" wrote:
When initially setting the cookie

Response.Cookie s("domain").Val ue = DateTime.Now.To String
Response.Cookie s("domain").Exp ires = DateTime.Now.Ad dDays(1)
Response.Cookie s("domain").Dom ain = "mydomain.c om"

............... ..should do the trick.

I think its case sensitive at the browser.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

Nov 19 '05 #4
Hi John,
I wasn't referring to sharing sessions across parent domains (e.g.
"mydomain1. com" and "mydomain2.com" ). I want to share sessions on sub-domains
of the same domain (e.g. "www.mydomain.c om" and "search.mydomai n.com").
Regards,
Doug
"John Timney (ASP.NET MVP)" wrote:
sorry I misread your question (its late here!!).

You can't share sessions across domains, nor applications natively - so it
will always set a new cookie as you move between domains. Because you can
share cookies across those applications (and between those domains) one
approach is to store your shared data in a database and use a shared domain
cookie to identify the data in the database.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

Nov 19 '05 #5
I expect the problem would be the same. Asp.net bounds sessions and objects
within applications for security, so if your subdomains were not part of the
same web application then the session would not apply. The solution could
be to have a root application, with all your other applications hanging
under it as non application virtual directories - and then have something
like the isapi virtual hosting filter handle the domains, allowing the root
application to own the single session. I've never tried it myself though.
I would always see a sub-domain as a seperate application entirely, or why
would it be a sub-domain?

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:BD******** *************** ***********@mic rosoft.com...
Hi John,
I wasn't referring to sharing sessions across parent domains (e.g.
"mydomain1. com" and "mydomain2.com" ). I want to share sessions on
sub-domains
of the same domain (e.g. "www.mydomain.c om" and "search.mydomai n.com").
Regards,
Doug
"John Timney (ASP.NET MVP)" wrote:
sorry I misread your question (its late here!!).

You can't share sessions across domains, nor applications natively - so
it
will always set a new cookie as you move between domains. Because you
can
share cookies across those applications (and between those domains) one
approach is to store your shared data in a database and use a shared
domain
cookie to identify the data in the database.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

Nov 19 '05 #6
Well, the out-of-proc StateServer works just fine for sharing sessions across
sub-domains. Everything in ASP.NET allows for sharing sessions across
sub-domains; everything except this simple cookie issue.

Let me explain one of the reasons why I need sessions to be shared across
sub-domains:
I have a "www" server, and a "search" server. When a person signs in, the
HTML header at the top of every page shows a link to "Sign Out". This same
header is used on every page throughout the site; on both "www" and "search".
Based on the session, I know whether the person is signed in or not, and
whether to show the "Sign Out" link or not. The session needs to persist
across sub-domains; otherwise, when a person goes to the "search" server,
they wouldn't appear to be signed in any longer.

There are many real-world examples of why sessions need to be shared across
sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in across
"mail.yessy.com ", "shopping.yahoo .com", "music.yahoo.co m", etc.

There are just so many examples of why a session would need to be shared
across sub-domains.

The ASP.NET StateServer natively supports sub-domains. The only issue is the
domain setting for the Session cookie. Instead of tying the cookie to
"www.mydomain.c om", allow the cookie to be tied to "mydomain.c om". That way,
all sub-domains can access the cookie and problem solved. People stay
signed-in across sub-domains; the same session can be accessed; etc.

Why not allow developers to share sessions across sub-domains if they need
to? It's an extremely simple feature to provide.

By the way, I implemented a fairly good fix/hack today. Put this code on
every page:
Response.Cookie s["ASP.NET_Sessio nId"].Value = Session.Session ID;
Response.Cookie s["ASP.NET_Sessio nId"].Domain = ".mydomain.com" ;

Those two lines of code rewrite the Session cookie so it's now accessible
across sub-domains.

My hope is that Microsoft will implement a web/machine.config param that
allows the Session cookie to be accessed across sub-domains.

Doug

"John Timney (ASP.NET MVP)" wrote:
I expect the problem would be the same. Asp.net bounds sessions and objects
within applications for security, so if your subdomains were not part of the
same web application then the session would not apply. The solution could
be to have a root application, with all your other applications hanging
under it as non application virtual directories - and then have something
like the isapi virtual hosting filter handle the domains, allowing the root
application to own the single session. I've never tried it myself though.
I would always see a sub-domain as a seperate application entirely, or why
would it be a sub-domain?

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:BD******** *************** ***********@mic rosoft.com...
Hi John,
I wasn't referring to sharing sessions across parent domains (e.g.
"mydomain1. com" and "mydomain2.com" ). I want to share sessions on
sub-domains
of the same domain (e.g. "www.mydomain.c om" and "search.mydomai n.com").
Regards,
Doug
"John Timney (ASP.NET MVP)" wrote:
sorry I misread your question (its late here!!).

You can't share sessions across domains, nor applications natively - so
it
will always set a new cookie as you move between domains. Because you
can
share cookies across those applications (and between those domains) one
approach is to store your shared data in a database and use a shared
domain
cookie to identify the data in the database.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director


Nov 19 '05 #7
good hack - I'll remember that one :)

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:8E******** *************** ***********@mic rosoft.com...
Well, the out-of-proc StateServer works just fine for sharing sessions
across
sub-domains. Everything in ASP.NET allows for sharing sessions across
sub-domains; everything except this simple cookie issue.

Let me explain one of the reasons why I need sessions to be shared across
sub-domains:
I have a "www" server, and a "search" server. When a person signs in, the
HTML header at the top of every page shows a link to "Sign Out". This same
header is used on every page throughout the site; on both "www" and
"search".
Based on the session, I know whether the person is signed in or not, and
whether to show the "Sign Out" link or not. The session needs to persist
across sub-domains; otherwise, when a person goes to the "search" server,
they wouldn't appear to be signed in any longer.

There are many real-world examples of why sessions need to be shared
across
sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in
across
"mail.yessy.com ", "shopping.yahoo .com", "music.yahoo.co m", etc.

There are just so many examples of why a session would need to be shared
across sub-domains.

The ASP.NET StateServer natively supports sub-domains. The only issue is
the
domain setting for the Session cookie. Instead of tying the cookie to
"www.mydomain.c om", allow the cookie to be tied to "mydomain.c om". That
way,
all sub-domains can access the cookie and problem solved. People stay
signed-in across sub-domains; the same session can be accessed; etc.

Why not allow developers to share sessions across sub-domains if they need
to? It's an extremely simple feature to provide.

By the way, I implemented a fairly good fix/hack today. Put this code on
every page:
Response.Cookie s["ASP.NET_Sessio nId"].Value = Session.Session ID;
Response.Cookie s["ASP.NET_Sessio nId"].Domain = ".mydomain.com" ;

Those two lines of code rewrite the Session cookie so it's now accessible
across sub-domains.

My hope is that Microsoft will implement a web/machine.config param that
allows the Session cookie to be accessed across sub-domains.

Doug

"John Timney (ASP.NET MVP)" wrote:
I expect the problem would be the same. Asp.net bounds sessions and
objects
within applications for security, so if your subdomains were not part of
the
same web application then the session would not apply. The solution
could
be to have a root application, with all your other applications hanging
under it as non application virtual directories - and then have something
like the isapi virtual hosting filter handle the domains, allowing the
root
application to own the single session. I've never tried it myself
though.
I would always see a sub-domain as a seperate application entirely, or
why
would it be a sub-domain?

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <Do**@discussio ns.microsoft.co m> wrote in message
news:BD******** *************** ***********@mic rosoft.com...
> Hi John,
> I wasn't referring to sharing sessions across parent domains (e.g.
> "mydomain1. com" and "mydomain2.com" ). I want to share sessions on
> sub-domains
> of the same domain (e.g. "www.mydomain.c om" and "search.mydomai n.com").
> Regards,
> Doug
>
>
> "John Timney (ASP.NET MVP)" wrote:
>
>> sorry I misread your question (its late here!!).
>>
>> You can't share sessions across domains, nor applications natively -
>> so
>> it
>> will always set a new cookie as you move between domains. Because you
>> can
>> share cookies across those applications (and between those domains)
>> one
>> approach is to store your shared data in a database and use a shared
>> domain
>> cookie to identify the data in the database.
>>
>> --
>> Regards
>>
>> John Timney
>> ASP.NET MVP
>> Microsoft Regional Director
>>


Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
4674
by: A Web Master | last post by:
I am designing a site for a client where I have a frameset and 3 frames (all in ASP). I am creating session variables in the frameset that need to be accessed in the frames. It seams that in Netscape (4.75), the Frameset Session variables are not defined when accessed in the frames. Why and how to fix this ? Take these for example. The only session variable contents displayed right are the ones defined in the actual frame. This only...
1
2953
by: Matt | last post by:
I want to know what's the differences between session cookie and regular cookie. In ASP, when we create cookie, we do the following to identify an user: Response.Cookies("name") = value Is this regular cookie? How about session cookie? and when to use which?
3
7382
by: Karsten Grombach | last post by:
Hi, I'm trying the following: - Imitate a Logon using a Post with HttpWebRequest on remote Webserver (asp 3.0 page using https) - On success redirect to the page (encapsuled in an iframe) supplied by the remote Webserver I can successfuly logon but when I redirect to the supplied url, the webserver does not know me anymore an redirects me back to login page.. I
14
3397
by: Schoo | last post by:
I have an asp.net app that uses session objects (ag. session("UserID")). The app works fine in development/debug mode. I released it to the test server (Windows 2000 server with other .NET applications running on it) and when I am sitting at that server running the application, it also runs fine. But, if I sit at any workstation on the LAN it does not work. I narrowed the problem down to the fact that all of the session objects contain...
8
1750
by: ari | last post by:
hey all, i'm trying to make my app as stateless as possible. is it ok to create a dataset and store in viewstate and whenever the user decides to select a from that dataset, to move from viewstate, to session, and on the details page back to viewstate. Or does that sound like too much work? thanks, ari
9
5321
by: McGeeky | last post by:
Is there a way to get a user control to remember its state across pages? I have a standard page layout I use with a header and footer as user controls. Each page uses the same layout by means of copy paste (I hear this will improve in ASP.Net 2 via master pages). When I navigate from one page to the next the header and footer user controls lose their state because they are effectively different instances of the user control. Is there...
0
3244
by: joseph conrad | last post by:
Hi, I tried to implement my own session handler in order to keep control on the process the drawback I foun it is not creating and storing in my cookie the PHPSESSID variable anymore. reading te documentation it seems it should do it anyway any advice?
4
11445
by: mike.biang | last post by:
I have an ASP page that is using an XMLHTTP object to request various pages from my server. I keep a single session throughout the XMLHTTP requests by bassing the ASPSESSIONID cookie through the XMLHTTP object. However, when the page requested through the XML object makes a <%Response.Redirect()%> call, a new session is created each time. Is this a flaw in the XMLHTTP Object? How can I force the session to remain the same after a...
4
2885
by: rgparkins | last post by:
Hello I am running out of time with a problem I have running PHP 5.04 and Apache 2.0 and really need help :(. I have a page that stores a variable in session but each time I reload that page the session seems to be re-created and is an empty array. I have checked the session file and the variable is being stored against the session id, but I dont know why PHP is not picking up the session after I reload.. I have tried the usual suspects...
9
7823
by: Josh | last post by:
I run a Joomla website and am familiar with php in some but not all aspects. Currently I am trying to find some solutions related to session handling. Am I correct in saying that "login" is kept in sessions? I can see active sessions in my mysql database, but is that the only place this information is stored? Sessions and cookies I know are related also, but how specifically (session info stored in cookies?)? Right now, when users...
0
9926
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9776
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
10812
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
9552
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
7108
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5780
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5976
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4597
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4194
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.