I have a cookie set in the path of the parent domain ( which I have no control over). But I have an application running in one of the subdomains (I have access to this). How can I access the cookies set against the parent domain?
For instance, say I have the cookies:
Name Value Domain (not https)
ABC 1 .example.com
XYZ 0 foo.bar.example.com
The app is running on foo.bar.example.com and the cookie is set at .example.com
It's a Java application. I tried to debug but I can only see the cookies set for the subdomain, not the primary domain.
Here's the source
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
//Here I only see cookies set for the sub domain but not the parent domain. The cookies collection has no parent domain cookies.
}
}
Also according to this stackoverflow answer maybe the browser is not sending the parent domain cookies to the app?
I feel like I'm missing something elementary here. Any suggestions?
The problem in my case was an external Proxy server (SSO server in my case) was filtering the cookies. So it was an environmental problem. I'm sure that parent domain cookies are available in normal environments.
Related
I have Servlet web application running at subdomain can access other cookies but other cookies set by sso application into parent domain level is not access. But I can see those cookies are there in the browser.
In the servlet application, I have the code to read cookies:
httpRequest = (HttpServletRequest)request;
Cookie[] cookies = httpRequest.getCookies();
if(cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equals("SESSION_ID")) accessToken = cookie.getValue();
}
}
The above code only can retrive the cookies set by subdomain application. If I checked at browser cookies list I can see the "SESSION_ID" cookie and it's value with primary domain.
Cookies looks like this:
Name Value Domain
SESSION_ID 123 .primarydomain.com
XYZ 001 subdomain.primarydomain.com
ABC 2233
In the above cookies list I can only access XYZ and ABC but not the value of SESSION_ID. Am I missing some basic thing here?
I have a site www.mysite.com. This site is called from another site www.aaa.com where I stamp the cookie (say x = 1) from the server.
Now when my site is called from new site www.new.com, will I be able to fetch the cookie (x=1) that I had stamped from my server when my server was called from www.aaa.com ?
NOTE: All the above processes take place in the same browser.
I am trying to do access the cookie but not been able to do so. I am using vertx as the server.
Small snippet to fetch the cookies in the server:
public Set getAllCookiesName(RoutingContext context) {
Set<Cookie> cookies = context.cookies();
Set<String> cookieNames = new HashSet<String>();
for (Cookie cookie: cookies) {
cookieNames.add(cookie.getName());
}
return cookieNames;
}
Cookies are not shared across different domains, however they can be shared between domains and their subdomains. For e.g.if your mysite is subdomain of another site www.aaa.com (mysite.aaa.com) then cookies could be shared. However it would depend on what path you set your cookie into.
I want to read parent domain(domain.com) cookies
Running the code from xyz.domain.com
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
//only subdomain cookies(i.e. xyz.domain.com) are displayed
}
}
Here I am not getting domain.com cookies
Similar to the below link
Access parent domain cookies from an application running on a subdomain
Update:
Cannot edit the cookies .i.e. cannot set domain of the cookie
When cookie is created in domain.com, you need to set domain as cookie.setDomain("."), Then cookie will be available in sub domain.
We have the following situation:
JSESSIONID is being sent by both cookies and URL, but because of a Adobe Flash BUG, they are different (actually, the cookie JSESSIONID is wrong).
What we would like to do is to use the URL JSESSIONID instead of the one sent in the cookies. In other words, when I execute request.getSession(), it should return the HttpSession associated to the ID in the URL and not in the cookie.
We looked into Tomcat7 source code and, in fact, Tomcat first parses the URL, searching for an identifier. Then it overrides it with cookies SESSIONID if they are present. Here is the code snipped in CoyoteAdapter.java (tomcat 7.0.26):
String sessionID = null;
if (request.getServletContext().getEffectiveSessionTrackingModes()
.contains(SessionTrackingMode.URL)) {
// Get the session ID if there was one
sessionID = request.getPathParameter(
SessionConfig.getSessionUriParamName(
request.getContext()));
if (sessionID != null) {
request.setRequestedSessionId(sessionID);
request.setRequestedSessionURL(true);
}
}
// Look for session ID in cookies and SSL session
parseSessionCookiesId(req, request);
parseSessionSslId(request);
We could disable cookies JSESSIONID at all, but we can't because we use it for all URLs in the website. We'd like to disable cookies for JUST THIS SPECIFIC URL.
Is it possible? Is there any other idea or workaround to solve this problem?
You could implement a custom servlet filter that would replace request, response and session objects with your own wrappers. The wrappers then can behave differently based on the URL, e.g. delegate or not to the original session instance. Though you won't be able to access session data for some other id, without changing Tomcat code.
I'm having an issue using the Cookie class of the Servlet API 2.5 on Tomcat . I pull out the list of cookies from the HttpServletRequest object and iterate over them like so:
Cookie[] cookies = request.getCookies();
for(Cookie cookie : cookies) {
System.out.println("Name=" + cookie.getName() + " Domain=" + cookie.getDomain());
}
However, for every single cookie in the request the Domain is null. Why is this? The reason I'm asking is because I have a cookie with the same name in two different domains and I want to be able to differentiate between them based on the domain. To help clarify the situation, my identically named cookies are being set in .anydomain.net and .subdomain.anydomain.net. Both are getting sent in the request but the domains are null when they get to the servlet. Is it expected behavior that the servlet cannot see the domain of cookies sent to it?
Edit: I set the cookies along with domain,expiration,and path in a previous request to the servlet. The next request coming into the browser with these cookies shows the domain as null. I have verified the cookies are getting set in the right domains in the browser.
Edit 2: I'm using Tomcat 6
Are you sure that you can get anything except the value from request cookies?
The browser will send only name=value in the HTTP Cookie header.
Other attributes (secure, domain, path, expiration) are only available for cookies that you set into the response yourself.
They are used to create the Set-Cookie response headers.
Properties such as domain are only used for a cookie when it is a part of the response (i.e. in Set-Cookie header). A client (such as a web browser) should only send the cookies that have the correct domain (path, etc.). The request thus only sees values because the header itself (Cookie) only contains values. Your client should not be sending cookies from different domains to the server.