Reputation:
Sharing session across domain
Currently we are facing a problem with sharing a same session across subdomains. we are using Jboss server.
Users access the site corresponding to their locale say en_US that has unique domain name. A cookie is created corresponding to the domain. Users are allowed to go to other locales that have different domain name. The problem is that a new cookie is created for the other domain which loses the information stored in the previous session. We need to use the same session cookie across domains.
Ex domains : sample.au sample.co.uk sample.us
I asked to look into Iframe/p3p solutions.I am new to this concept. can you please guide me how to achieve this.
Thanks in advance
Upvotes: 6
Views: 12963
Answers (4)
Reputation: 655239
Cookies can only be shared in domains if they are valid for a common higher level domain. So foo.example.com and bar.example.com can share a cookie that is set for example.com. Note that the cookie’s Domain parameter value must be .example.com (with leading dot) to accomplish this.
Upvotes: 6
Reputation:
see
Sharing Cookies Between Domains
http://www.15seconds.com/issue/971108.htm
It seems to use the "Redirection" to translate cookies between the domains. But it is too complex. Just for a reference.
Upvotes: 0
Reputation: 300845
What you need is a single sign on service. You could roll you own for your sites A..Y by having a centralised site Z to manage the sessions/sign on.
- user arrives in site A, doesn't present any session id
- site A redirects user to site Z
- site Z creates a session, perhaps after authenticating the user, and drops a site Z cookie, redirects user back to site A with a URL which contains an additional payload telling site A what the users session id is
- site A drops a session cookie allow the user to continue to use their shared session on A
Now when the user goes to site B
- site B sees no session, redirects to site Z
- site Z sees it's already got a session for this person, directs them straight back to B with the session id payload
- site B drop a session cookie, it's all good again.
To put it another way, your signal sign on service gives the user something that they can hang to (a session cookie) and also something they can pass to the participating site to prove they are authenticated.
Upvotes: 11
Reputation: 1628
You need to set the domain for your cookie to your top domain pereceded by a dot, e.g. for subdomain1.domain.com and subdomain2.domain.com, you would the domain for the session cookie to: .domain.com.
In JBoss you should be able to override this for all the subdomains in the javax.servlet.http.Cookie class.
Upvotes: 3
Related Questions
- Sharing Session object between different web applications
- Session Manegement using java
- JSESSIONID across subdomains
- How can I share session in two web application in different web servers?
- JBoss - connect and authenticate users in two domains
- jboss 5.1: How to share session between multiple wars
- Can session be shared between two different applications hosted in separate application servers
- How to maintain the same session id across multiple web applications in Java
- Share session data between 2 subdomains
- Share Session between 2 Java EE applications deployed in JBoss AS