Reputation:
For sessions and cookies, is there a difference between example.com and www.example.com?
I have a very strange problem with our web application
The privat web is: private.example.com The public web is: example.com
For some reasons outside my control www.example.com is allways redirected to example.com I guess this is the setup on the server.
The problem is when I log in to the admin console, and open a new tab and requests the public site, the log in session is lost.
This only happens in IE 7
After some diging I found this site:
http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx
See Q3
Can it be that the session set in admin(private.example.com) is deleted when I access the public site? Since the server is redirecting me to example.com?
I think we do not specify the domain part when setting the cookie (Java)
As I said, this only happens with XP SP3 and IE7
Anyone who can help me, or correct my understanding of the IE stuff.
Upvotes: 2
Views: 1210
Reputation: 41747
If you set a cookie for example.com it should be sent to www.example.com and private.example.com, but if you set a cookie for private.example.com it should not be sent to example.com. Some sites set all their cookies against www.example.com and serve static content from static.example.com or another domain so cookies are not needlessly sent along with requests for static content.
See also http://developer.yahoo.com/performance/rules.html#cookie_free
Upvotes: 0
Reputation: 22220
Yes, cookies are domain and even sub-domain specific. So this is the problem. For consistency's sake, I'd try to find a way to keep it on the same sub-domain.
You said the redirect from www.yourdomain.com to yourdomain.com is outside your control. Is that because you don't have access to the server? If so, you could attack it from another angle. Instead of preventing the redirect, you could set up a global 301 redirect rule so that every user who goes to www.yourdomain.com is instantly redirected to yourdomain.com (kinda like StackOverflow.com). That way it remains consistent on every page of the site.
There are many different ways to accomplish this. But if by chance you're using .NET, see my answer to this question: Setting up HTTP Redirect for SEO in IIS7
That's a pure .NET code solution that requires no additional modules so it'd work even if you don't have access to the server. Actually that answer is for the reverse scenario (non-www to www) but it could easily be modified for this task.
Upvotes: 1
Reputation: 3894
Domains and sub-domains are independent of each other when it comes to cookies. I would check your DNS records to see where your A records actually point, then look at your webserver to see how the subdomains are interpreted. Sometimes servers are configured to treat subdomains as url redirections, especially in large hosted solutions.
You might also want to check if the Java equivalent of the ASP property 'Response.Cookies("UID").Domain' is set somewhere along the line.
Upvotes: 0
Reputation: 1628
Cookies are always set on a subdomain rather than the domain itself, when being created. You'll have to specifically set up the cookie to point to example.com when created. We had the same problem with admin.example.com and dealer.example.com login cookies.
Upvotes: 1