Reputation: 4615
How do I set JSESSIONID domain to second level on Tomcat?
I have a service on Tomcat available at the following domains:
sub1.domain1.com
sub2.domain1.com
sub1.domain2.com
sub2.domain2.com
Now I need transparent authorization (Spring Security) for domain1. If user logs in to the sub1.domain1.com he is authorized on sub2.domain1.com too.
This can be done with Tomcat's setting
sessionCookieDomain=".domain1.com"
But now authorization on sub1.domain2.com doesn't work at all because all JSESSIONID cookie domain is always set to ".domain1.com".
How could I make tomcat use only second level of current domain for the cookies?
Upvotes: 2
Views: 3555
Answers (1)
Reputation: 719679
The simple answer is that there is no simple answer. Essentially you need a primary login site, and scheme whereby secondary sites get to set cookies for their domain that clone the primary site's session token. Implementing this is complicated.
Two possible SSO technologies are Shibboleth and JASIG CAS.
For more details, refer to the answers to Single Sign On across multiple domains
What if I somehow overload cookie creation and set .domain1.com and .domain2.com where required?
If foo.domain1.com tries to set a cookie with path .domain2.com or anything.domain2.com, the browser will ignore it for security reasons. You have to go through a complex dance of redirections to set the cookies on both domains. Read the question / answers I linked to (above) for more details.
Upvotes: 2
Related Questions
- How to properly set JSESSIONID cookie path behind reverse proxy
- Forcing Tomcat to use secure JSESSIONID cookie over http
- Changing cookie JSESSIONID name
- set 'secure' flag to JSESSION id cookie
- Jsession in tomcat configuration
- how to refresh JSESSIONID cookie after login
- how to secure jsessionid cookie in tomcat 7 using environment variables
- spring - configure domain for JSESSIONID cookie
- Disable jsessionid via http header (cookie) in Tomcat 7
- JSESSIONID cookie domain