I have a site www.mysite.com. This site is called from another site www.aaa.com where I stamp the cookie (say x = 1) from the server.
Now when my site is called from new site www.new.com, will I be able to fetch the cookie (x=1) that I had stamped from my server when my server was called from www.aaa.com ?
NOTE: All the above processes take place in the same browser.
I am trying to do access the cookie but not been able to do so. I am using vertx as the server.
Small snippet to fetch the cookies in the server:
public Set getAllCookiesName(RoutingContext context) {
Set<Cookie> cookies = context.cookies();
Set<String> cookieNames = new HashSet<String>();
for (Cookie cookie: cookies) {
cookieNames.add(cookie.getName());
}
return cookieNames;
}
Cookies are not shared across different domains, however they can be shared between domains and their subdomains. For e.g.if your mysite is subdomain of another site www.aaa.com (mysite.aaa.com) then cookies could be shared. However it would depend on what path you set your cookie into.
Related
so I am using Jsoup and I am trying to get the cookies set for the site subdomain. The Connection.Response#cookies only returns the one set for that domain. I would like to grab the cookies so that I can use them to request data from the subdomain.
Example:
Connection.Response res = Jsoup.connect("https://www.tvplayer.com/watch/dave").userAgent("Mozilla/5.0").timeout(10000).method(Connection.Method.GET).execute();
Document doc = Jsoup.connect("https://live.tvplayer.com/").timeout(10000).cookies(res.cookies()).get();
If you request it throws a 403 due to the cookie not being set, this is because the cookies for the response doesn't have the ones from the subdomain live. just the main domain.
Outputting the cookies gives the cookies AWSELB and PHPSESSID only.
I have a cookie set in the path of the parent domain ( which I have no control over). But I have an application running in one of the subdomains (I have access to this). How can I access the cookies set against the parent domain?
For instance, say I have the cookies:
Name Value Domain (not https)
ABC 1 .example.com
XYZ 0 foo.bar.example.com
The app is running on foo.bar.example.com and the cookie is set at .example.com
It's a Java application. I tried to debug but I can only see the cookies set for the subdomain, not the primary domain.
Here's the source
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
//Here I only see cookies set for the sub domain but not the parent domain. The cookies collection has no parent domain cookies.
}
}
Also according to this stackoverflow answer maybe the browser is not sending the parent domain cookies to the app?
I feel like I'm missing something elementary here. Any suggestions?
The problem in my case was an external Proxy server (SSO server in my case) was filtering the cookies. So it was an environmental problem. I'm sure that parent domain cookies are available in normal environments.
We have the following situation:
JSESSIONID is being sent by both cookies and URL, but because of a Adobe Flash BUG, they are different (actually, the cookie JSESSIONID is wrong).
What we would like to do is to use the URL JSESSIONID instead of the one sent in the cookies. In other words, when I execute request.getSession(), it should return the HttpSession associated to the ID in the URL and not in the cookie.
We looked into Tomcat7 source code and, in fact, Tomcat first parses the URL, searching for an identifier. Then it overrides it with cookies SESSIONID if they are present. Here is the code snipped in CoyoteAdapter.java (tomcat 7.0.26):
String sessionID = null;
if (request.getServletContext().getEffectiveSessionTrackingModes()
.contains(SessionTrackingMode.URL)) {
// Get the session ID if there was one
sessionID = request.getPathParameter(
SessionConfig.getSessionUriParamName(
request.getContext()));
if (sessionID != null) {
request.setRequestedSessionId(sessionID);
request.setRequestedSessionURL(true);
}
}
// Look for session ID in cookies and SSL session
parseSessionCookiesId(req, request);
parseSessionSslId(request);
We could disable cookies JSESSIONID at all, but we can't because we use it for all URLs in the website. We'd like to disable cookies for JUST THIS SPECIFIC URL.
Is it possible? Is there any other idea or workaround to solve this problem?
You could implement a custom servlet filter that would replace request, response and session objects with your own wrappers. The wrappers then can behave differently based on the URL, e.g. delegate or not to the original session instance. Though you won't be able to access session data for some other id, without changing Tomcat code.
I have a very basic question how the creation of HTTPSession works.I know you folks will fire me on looking at this question as similar kind
of questions exist.But there is reasoning why i am asking this question Here it is :-
I know httpsession is unique to web browser and server creates it when we do HttpServletRequest.getSession first time.It will maintaintain the same session till we
close the browser. But i have little bit different scenario.I Have a web application on one tomcat instance say T1.On welcome page of this web application
i have provided two links on click of which takes me to same java servlet(S1) of different web application hosted on another tomcat instance T2 (these two links
opens two seperate pop up windows). Now first i click the link1 and inspect the sessionId in S1 and find its value as 1678. Now first i click the link2 and
inspect the sessionId in S1 and find its value again as 1678. My question here is why i am getting the same session id for both the requests origintaing
from link1 and link2? what can i do to to get the different session for both of these requests?
What i tried after looking for possible solutions on net :- On click of link1, in Servlet S1 , i copied session attributes, invalidate it and create new one.
Say new session id is 8765 . Now i click the link2 and found the same session in this request too. So i further invalidate it and creates new one(say
new session id is 4897). Ideally it should expire the first browser session (generated on click of link1). To verify it,i click anywhere on pop up 1 it does not get
expired but i see again last generated session id i.e 4897. I am not getting why it attaching the same session id with both pop up windows?
Folks Thanks for your patience for taking your time out and read this long scenario?
Edit :-
Cookie[] cookies = req.getCookies();
if(cookies!=null)
for (int i = 0; i < cookies.length; i++) {
cookies[i].setMaxAge(0);
context.getResponse().getHttpServletResponse().addCookie(cookies[i]);
}
HttpSession myAppSession = req.getSession();//line 1
Assume on click of link1 i get session id as 1234,then after click of link 2 also i get the same session id. As per my understanding, after executing the code above line 1 , i should get the different session id as i am setting the MaxAge as0 before getting the session. But its not happening?
I think this is what you are looking for :
By default session tracking happens by cookies. WebServer sends the session id to the browser in the form of cookie. And, the browser send the cookie having session id for the subsequent requests.
How does the browser identifies which cookies to send for a link/request?
It is based on the these parameters. If the request matches these paramters the browser sends that particular cookie:
Domain: The domain name to which the request is made. Verify in your case if the domain name is same for two instances
Path: If the path name is same. Web Server send the context root as the path , requests under same context root share cookies.
Secure: Server sends if the given cookie is secure or not. Meaning, if the cookie can be sent on non-secure channel.
These parameters will let the browser to send the cookies to the server. And because the same cookie is sent for both the instances you are having. I think the session id is being shared.
If the request propeties such as Request URI, domain and path(i.e, context root) are same between requests, there is no way to tell the browser to use different cookies.
You have some options below:
Use different domain names.
Use different context roots.
Have a LB in front of two nodes and redirect to the correct node based on Session id
I'm having an issue using the Cookie class of the Servlet API 2.5 on Tomcat . I pull out the list of cookies from the HttpServletRequest object and iterate over them like so:
Cookie[] cookies = request.getCookies();
for(Cookie cookie : cookies) {
System.out.println("Name=" + cookie.getName() + " Domain=" + cookie.getDomain());
}
However, for every single cookie in the request the Domain is null. Why is this? The reason I'm asking is because I have a cookie with the same name in two different domains and I want to be able to differentiate between them based on the domain. To help clarify the situation, my identically named cookies are being set in .anydomain.net and .subdomain.anydomain.net. Both are getting sent in the request but the domains are null when they get to the servlet. Is it expected behavior that the servlet cannot see the domain of cookies sent to it?
Edit: I set the cookies along with domain,expiration,and path in a previous request to the servlet. The next request coming into the browser with these cookies shows the domain as null. I have verified the cookies are getting set in the right domains in the browser.
Edit 2: I'm using Tomcat 6
Are you sure that you can get anything except the value from request cookies?
The browser will send only name=value in the HTTP Cookie header.
Other attributes (secure, domain, path, expiration) are only available for cookies that you set into the response yourself.
They are used to create the Set-Cookie response headers.
Properties such as domain are only used for a cookie when it is a part of the response (i.e. in Set-Cookie header). A client (such as a web browser) should only send the cookies that have the correct domain (path, etc.). The request thus only sees values because the header itself (Cookie) only contains values. Your client should not be sending cookies from different domains to the server.