Sessions / Cookies across domains.

Similar Messages

• Setting cookies across domains

  Hi there all,
  I'm posting this in desperation to be honest, don't think
  there is a cut'n'dried
  answer to this one.
  I've got a horrible situation, (don't ask why, it's far too
  complex and to
  be quite honest.. boring :) ).
  I'm trying to "mesh" together a classic .asp with an asp.NET
  site on 2
  separate domains.
  Basically I've got a page from the asp.NET site (eg.
  www.something.co.uk)
  displayed within an iframe on the .asp (eg
  www.another.co.uk). So far so
  good.
  I need to set a cookie on www.another.co.uk and be able to
  read it, or
  replicate it on www.something.co.uk. Because they are not
  sub-domains I can't
  set the cookie direct because of security restrictions.
  So, I thought I could pass a URL variable across to
  www.something.co.uk via
  the iframe URL, and then using javascript to read said URL
  variable and set
  a cookie on the www.something.co.uk domain. No go. Suspect
  there is yet
  again security restrictions to setting cookies across domains
  using iframe.
  So I'm kind of stuck. Can anybody suggest anything please,
  bearing in mind I
  have very limited control over the asp.NET
  (www.something.co.uk) site, so
  any solution I come up with needs to be using javascript.
  Major sized thanks in advance.
  @ndyB

  You could also pass the id as a hidden field in a form.
  Have the link call a JavaScript function. The JavaScript funcition could access the cookie and pull out the id. The function would then set a hidden field in a form to the id value and then Post the form to the secure server.
  The form would only have hidden fields so it could be tagged on the end of the HTML page and the user would never know it was there.

• How to set the cookie or session of one domain to another domain

  Hi,
  I am using tomcat server. I am facing a issue of session lost when I am moving from one domain to another domain.
  e.g. http://mydomain.com/ to http://a.mydomain.com.
  Is there any way to set the cookie or same session to sub domain in tomcat.
  Please help me. I will be highly obliged.

  a tutorial from JavaWorld
  http://www.javaworld.com/javaworld/jw-01-2001/jw-0126-servlets.html?page=1

• Using session data across applications and subdomains

  Is there a way to share session <b>data</b>
  across different CF applications? across different subdomains?
  The goal here is single source login that stores complex data
  in a re-useable session scope. The current installation uses wddx
  to serialize the data and drop it into a cookie. I am looking for
  alternatives to the WDDX method as it has been causing a number of
  errors.
  For example I have application "a" at appA.domain.com ~ a
  user logs in an a session is created [domain cookies are set].
  I would like the user to be able to go to both
  appA.domain.com/subapp [which has its own application.cfm] and
  reuse the session created at appA.domain.com.
  Similarly I would like the session created appA.domain.com to
  carry over to appB.domain.com [which would has its own
  application.cfm file].
  Thanks for any help.
  ~jason.

  That would be known as cros-site scripting and most browsers
  disable that now, as it is a security issue if an application can
  read cookies from a different site domain.
  Sites that use cross-site data have to either pass it at the
  time accessig the other domain (via URL) or use a single database
  to record and recall data between applications.
  Passport is a good example. Even though you can use Passport
  on any site that offers it, the site ultimately tranfers you to the
  Passport website momentarily to collect your login and then
  transfers you back to your site along wth the credentials in a URL
  variable so your own site can then record the cookie and state you
  are logged in. It doesn't actually read the Passport cookie from
  your own site.
  If you were to create a DB that applies to multiple sites,
  you could figure out a way to populate session variables on
  separate sites by quering the DB for the data if there is no data
  currently stored, or if it detects that the referer was a different
  URL prior to loading the current site. Once it queries the data it
  can store the data in a session variable.

• How to Set up HTTPOnly and SECURE FLAG for session cookies

  Hi All,
  To fix some vulnerability issues (found in the ethical hacking , penetration testing) I need to set up the session cookies (CFID , CFTOKEN , JSESSIONID) with "HTTPOnly" (so not to access by other non HTTP APIs like Javascript). Also I need to set up a "secure flag" for those session cookies.
  I have found the below solutions.
  For setting up the HTTPOnly for the session cookies.
  1] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.httponly = true;
  For setting up the secure flag for the session cookies.
  2] In application.cfc we can do this by using the below code. Or we can do this in CF admin side under Server Settings » Memory Variables
       this.sessioncookie.secure = "true"
  Here my question is how we can do the same thing in Application.cfm?. (I am using ColdFusion version 10). I know we can do this using the below code , incase of HTTPOnly (for example).
  <cfapplication setclientcookies="false" sessionmanagement="true" name="test">
  <cfif NOT IsDefined("cookie.cfid") OR NOT IsDefined("cookie.cftoken") OR cookie.cftoken IS NOT session.CFToken>
    <cfheader name="Set-Cookie" value="CFID=#session.CFID#;path=/;HTTPOnly">
    <cfheader name="Set-Cookie" value="CFTOKEN=#session.CFTOKEN#;path=/;HTTPOnly">
  </cfif>
  But in the above code "setclientcookies" has been set to "false". In my application (it is an existing application) this has already been set to "true". If I change this to "false" as mentioned in the above code then ColdFusion will not automatically send CFID and CFTOKEN cookies to client browser and we need to manually code CFID and CFTOKEN on the URL for every page that uses Session. Right???. And this will be headache.Right???. Or any other way to do this.
  Your timely help is well appreciated.
  Thanks in advance.

  BKBK wrote:
  Abdul L Koyappayil wrote:
  BKBK wrote:
  You can switch httponly / secure on and off, as we have done, for CFID and CFToken. However, Tomcat automatically switches JsessionID to 'secure' when it detects that the protocol is secure, that is, HTTPS.
  I couldnt understand this. I mean how are you relating this with my question.
  When Tomcat detects that the communication protocol is secure (that is, HTTPS), it automatically switches on the 'secure' flag for the J2EE session cookie, JsessionID. Tomcat is configured to do that. Coldfusion has no say in it. So, for JsessionID, 'secure' is automatically set to 'false' when HTTP is detected and automatically set to 'true' when HTTPS is detected.
       If this is the case then why I am getting below info for jsessionid (As you mentioned it should set with SECURE flag . Right???). Note that we are using web server - Apache vFabric .And the application that we are using is in https and there is no hit is going from https to http.
  Name:
  JSESSIONID
  Content:
  782BF97F50AEC00B1EBBF1C2DBBBB92F.xyz
  Domain:
  xyz.abc.pqr.com
  Path:
  Send for:
  Any kind of connection
  Accessible to script:
  No (HttpOnly)
  Created:
  Wednesday, September 3, 2014 2:25:10 AM
  Expires:
  When the browsing session ends
  BKBK wrote:
  2]When I checked CF Admin->Server Settings->Memory Variables I found that J2EE SESSION has been set to YES. So does this mean that do we need to set HTTPOnly and SECURE flag for JSESSIONID only or for CF session cookies (CFID AND CFTOKEN ) as well ?.
  Set HTTPOnly / Secure for the session cookies that you wish to use. Each cookie has its pros and cons. For example, the JsessionID cookie is more secure and more Java-interoperable than CFID/CFToken but, from the explanation above, it forbids the sharing of sessions between HTTP and HTTPS.
       I understood that setting thos flags (httponly/secure) is as per my wish. But my question was , is it necessary to set those flags forcf session cookies (cfid and cftoken) as we have enabled J2EE session in CF admin?. Or in other way as the session management is J2EE based do we need to set those flags for CF session cookies?.
  BKBK wrote:
  3]If I need to set HTTPOnly and SECURE flag for JSESSIONID , how can I do that.
  It is sufficient to set the HTTPOnly only. As I explained above, Tomcat will automatically set 'secure' to 'true' when necessary, that is, when the protocol is HTTPS.
       I understood that it is sufficient to set httponly only.but how we will set it for jsessionid?. This is my question. Apache vFabric will alos set secure to true automatically. Any idea??

• Session Cookies Being Overwritten Browsing From SSL to Non SSL

  I have created a bug report for this issue as well.
  Please note I am using J2EE session variables so keep that in mind.
  I am seeing session cookies being overwritten when browsing from an SSL connection to a non SSL connection.
  For example:
  Visiting https://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Encrypted connections only".
  Visiting http://www.domain.com/ results in a JSESSIONID cookie being set with details being send for "Any type of connection".
  Here's the problem:
  Say for example, you're logging into an admin module located at https://www.domain.com/admin/. Once authenticated and some session variables are set, you browse to http://www.domain.com/. When that happens your session cookie (JSESSIONID) is overwritten with a new value and you instantly lose your authentication in the admin module.
  Obviously this is causing massive problems for my clients that bounce back and forth from SSL to non SSL connections which is common for e-commerce websites.
  Steps to Reproduce:
  1. Clear your cookies.
  2. Visit a web page such as https://www.domain.com/. Note the JSESSIONID cookie value.
  3. Visit a web page such as http://www.domain.com/. Note the JSESSIONID cookie value and how it was overwritten.
  This behavior changed in ColdFusion 10. ColdFusion 9 did not overwrite the session cookie.
  Has anyone else experience this?

  Deleting and re-adding my account seems to have fixed it.  I think when I initially added my Google Talk account, it was by using the "Add Jabber Account" under 10.6 or something.  Now, when I re-added my account, I notice both "Google Talk" and "Jabber" are options, so my thought here is that Jabber and Google Talk options are no longer quite the same thing.

• Apex session cookie in Safari

  Hi all,
  I'm hitting a restriction or security feature(?) of Safari in iOS. One of our Apex applications is a page that runs in an iframe on a site. Apex is installed on a server inside our own network and is accessable via dns: office.ourcorp.com (fake name, just to clearify the situation). We have a couple of different brands, that all have their own domains: brand1.com, brand2.com etc. All of these sites open the apex page inside an iframe.
  That all works beautifully in all browsers, except in Safari in iOS. in iOS, the apex page isn't showing. It seams it's because of the session cookie Apex sets. Safari can't set an cookie from another domain (a cross domain cookie). Is there a possibility to turn off the session cookie?(ORA_WWV_APP_xxx)?
  I also tried to set the 'cookie domain' option inside the authentication scheme to one of the domain names for our brands, but it still doesn't show up.
  Does someone has a sollution?

  I tried to do that. If you read my very first post in this thread, specifically "If I try to set a cookie in the page sentry function, it is breaking at the redirect line. Also, I don't think page sentry is the right place to set a cookie since it executes at every page.", I tried to set a cookie but it is throwing an error at the page.
  I think all these complication is because I dont have a login page and I am using a HTTP header variable to validate the user. Given that, where should I set the cookie?
  I also tried to do this:
  - create an appliaction item called 'testuser'
  - create an application computation to run 'before header' which sets the value of this to my HTTP header variable.
  - When I retrieve the app item 'testuser' from a page, it is getting the correct value. But when I use this in the authentication scheme, it is returning null. Any idea why??
  I know I am throwing a lot of questions. That is because I am trying a lot of approaches and each of them is posing a new set of challenges. I am actually looking for alternative ways to do what I am looking to do.
  Thanks.
  Shuba

• Weblogic Sessions for different domains

  Hi
  I am developing a website that will be will be used in different countries. The code is going to be the same and this code will be deployed on one cluster of weblogic servers.
  For Eg. there will be a site abc.com.br and abc.com.mx. Both these are websites for different countries but will be served by the same application server.
  So, the same application server will service the request coming from both the websites. So the question that I have is whether Weblogic will treat these requests as seperate sessions or the same session.
  ie, will the weblogic server issue two JSESSIONID cookies for both these domains or will this be treated as a single session?
  Thanks in advance
  Tejas

  Hi,
  You can use "Cookie-Path" tag inside your "weblogic.xml" file to prevent any such thing: http://download.oracle.com/docs/cd/E15051_01/wls/docs103/webapp/weblogic_xml.html
  cookie-path
  Default Value: null
  Defines the session tracking cookie path.
  If not set, this attribute defaults to / (slash), where the browser sends cookies to all URLs served by WebLogic Server. You may set the path to a narrower mapping, to limit the request URLs to which the browser sends cookies.
  Still if you want to make sure that the Session Cookie Name should be different for Both the Applications (means other Than JSESSIONID) then you can use <cookie-name> tag inside the "weblogic.xml" file..... One best way of changing the cookiename is using "plan.xml" without changing anything physically in the application.
  Example: http://weblogic-wonders.com/weblogic/2009/12/16/updating-cookiename-using-plan-xml/

• Session sharing acrossed ears

  Is it possible to share a session across multiple EAR's? I have successfully shared sessions across multiple WAR's in a single EAR by using the session scoping and session path information.

  According to the spec, Sessions aren't suppose cross WARs. However, with IBM's Websphere, you are able to "enable" "Shared Session Context" across multiple WARS in a single EAR and provided the virtual domains for each WAR are the same.
  This is nice because it gives a developer the flexibility to logically breakup a large site into multiple war applications under the same EAR without having to worry about session management. For example, you can have a BrochureWAR, LoginWAR and a MemberForumWAR, MemberPaymentWAR, etc... all in the same EAR. The LoginWAR would put a UserObject into Session and the other MemberWARs could use it. Otherwise you would have to use the dreaded EJB solution or roll-your-own webservice state machine.
  As a quick note, be sure that any Object you put into the Shared Session Context is loaded using the Server's classpath and not the WAR's classpath. If you don't and you load a FooObject from WAR1 lib into session, a read from Session by WAR2 will throw a ClassNotFound error because of differing classloaders. Know what I mean?
  Now with all that said, I want Shared Sessions across EARs (obviously for WARs of the same domain of course). In this way, I would be able to completely remove/upgrade certain area's of a Very Large webappliction without effecting other areas for example: someWebSitesMemberPaymentEAR without effecting someWebSitesMemberForumEAR. Of course I could achieve this with all webapplications calling some Stateful WebService or EJB thing backend too but GOSH... thats alot of work for Session Management across EARs. Where's the easy button?

• Credential session cookie and smartphone

  hi,
  it seems session cookies for authentification doens't work with opera on Windows mobile6.5 and safari on iphone3gs.Browsers prompt me with AD authentification and .....blank page. It works with ie in wm6.5
  Do you already seen that before?

  Thanks.  I stumbled across the post while researching this. I didn't really think of it as being the same thing, but I do see how it is relevant to my question.  I am considering writing a very basic custom module to do what the standard one does,
  but ignore certain requests.  I feel like this has probably already been done a dozen times before, so if anyone knows of anything on GitHub or Codeplex, that would be very helpful information.
  Is there any guide out there on writing modules in such as way as to add them to the ApplicationInsights.config the way the official Microsoft modules are configured (ie. by tape name in the XML File)?

• Weblogic.httpd.session.cookies.enable not working in WLS4.5 sp 11 ?

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

  I want to disable the use of cookies in WLS 4.5, and set the following
  weblogic.httpd.session.cookies.enable=false
  In WLS 4.5 sp7, this correctly prevents the server from using cookies
  for session-tracking, forcing the extraction of the session id from a
  rewritten URL.
  However, for WLS 4.5 sp11 cookies are still sent from the server
  Is this a known issue ?
  jo

• Can portal session cookies be used between two data centers

  OAS generates the following header information and session information for my application. However when I need to failover the originating OAS datacenter into my hot stand-by for maintenance or upgrades, the OAS in the other datacenter responds with a 503 web error. We are using Akamai's GTM to manage the liveness of the datacenter, so we would need the hot stand-by OAS portal in that datacenter to return a 302 error code. Is there some method that we can add to our portal application which would always return a 302 error code.
  See header information collected through wfetch. The 503 error is caused by the hot stand-by data center not accepting or recognizing the cookie. Both OAS datacenters are IDENTICAL in Oracle levels, application levels, web servers, portals and OS patches.
  resolve hostname "170.107.183.32"WWWConnect::Connect("170.107.183.32","80")\nsource port: 2182\r\n
  GET /portal/pls/portal/PORTAL.wwsec_app_priv.login?p_requested_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home&p_cancel_url=%2Fportal%2Fpls%2Fportal%2FPORTAL.home HTTP/1.1\r\n
  Accept: */*\r\n
  Accept-Language: en-us\r\n
  Accept-Encoding: gzip, deflate\r\n
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)\r\n
  Host: www.thomson-pharma.com\r\n
  Connection: Keep-Alive\r\n
  Cookie: ORA_WX_SESSION="10.225.8.30:80-1#2"; portal=9.0.3+en-us+us+AMERICA+3D66674E7EED0801E04400144F41424E+BBAA98EEB32D58C086231A8D6CBE2E5D402D89B0E79D83A18C668BB0CA7417B4044DEA389C8B50DD37D9272A24B4753B22F29978861DE14503F8B9BEDC2014654B26A434CF074F4D8749B88610ADADF5084A90ADBF749E2A; DATACENTER=EAGAN\r\n
  \r\n
  HTTP/1.1 503 Service Unavailable\r\n
  Cache-Control: private\r\n
  Content-Type: text/html\r\n
  Set-Cookie: ORA_WX_SESSION="10.237.138.33:80-1#2"\r\n
  Set-Cookie: portal=; expires=Wednesday, 27-Dec-95 05:29:10 GMT; path=/\r\n
  Connection: Keep-Alive\r\n
  Keep-Alive: timeout=5, max=999\r\n
  Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.0.2 (N;ecid=208440262161,0)\r\n
  Content-Length: 710\r\n
  Date: Fri, 26 Oct 2007 14:58:07 GMT\r\n
  \r\n
  Thanks -John

  Hi John,
  This question is probably more appropriate in one of the Portal forums, but perhaps you can take a look at the information in section C.5 Configuring the Portal Session Cookie in Appendix C of the Portal Configuration guide.
  Here is a link: http://download.oracle.com/docs/cd/B14099_19/portal.1014/b19305/cg_app_c.htm#sthref1907
  Regards,
  Peter

• How to create a session cookie on demand

  Hi,
  I search the web but couldn't find anything related to creating session cookies on demand. I want to create a session cookie storing encrypted user tokens when there is none, for example, when the first page is called.
  The encryption part is OK, but I want how can I intercept every call to a set of pages and create the session cookie if it doesn't exist.
  I'm using ADF, of course, and Weblogic.
  Anyone can provide some examples or source code?
  Thanks.

  Cookies are accessible via the http request and response, there you can add new cookies and or change existing ones.
          ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
          HttpServletResponse response = (HttpServletResponse) ectx.getResponse();
          // get existing cookies
          Cookies [] cookies =((HttpServletRequest)ectx.getRequest()).getCookies();
          // create and set a new one
          Cookie cookie = new Cookie( "key", "value" );
          response.addCookie( cookie );This code should work in a bean. After setting the cookie you need to implement a servlet filter or a page phase listener where you check the requested url and then check for your cookie.
  Timo

• CFID and CFTOKEN Being Deleted from Session Cookie

  I can't believe that no one else has run into this - but I
  have found nothing on the internet.
  When I copy a piece from a web page that is generated by my
  coldfusion server, and paste it into a word document, the session
  cookie is altered, and the CFID and CFTOKEN information is deleted,
  so I lose my login. Recently, I've developed a problem on a
  different application - when I open a word document that is stored
  on the server, using CFCONTENT, same thing happens - the cookie is
  altered, CFID and CFTOKEN are deleted, and I lose my login.
  I'm tearing my hair out. Has anyone seen this behaviour, any
  ideas as to why this would occur? Any ideas as to how to get around
  it?

  Here's my CFAPPLICATION tag:
  <cfapplication name="DashBoard"
  clientmanagement="Yes"
  sessionmanagement="Yes"
  setclientcookies="Yes"
  clientstorage="cookie"
  loginstorage="session"
  sessiontimeout="#CreateTimeSpan(0, 0, 30, 0)#">
  Not sure what you mean by application sections. It's one
  application.
  I don't refer to the cookie in any other way. It's there only
  to do what CF does with it - maintain the information that's used
  to find the session.

• APEX Security: Multiple session cookies in one browser

  Hi all,
  I use mozilla firefox as web browser. When I open a new tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the session id and the browser the session cookie WWV_CUSTOM-F....
  When I now open the next browser tab and enter the APEX application url I will be redirected to the login page. After successfully login I receive the new session id and the browser the session cookie WWV_CUSTOM-F... with new content. My session from the first browser tab will be killed, because the session cookie for this session was deleted/replaced by the session cookie from the second tab.
  Is it possible to have multiple APEX sessions opened in one browser in multiple tabs?
  Regards

  Hi PaulP,
  it's simple.
  Unzip bsApex2 http://www.betasoftware.it/codice/bsApex2.zip
  If not installed, install Microsoft .NET Framework 4 Client Profile.
  Configure bsApex.exe.config
  <?xml version="1.0" encoding="utf-8" ?>
  <configuration>
    <appSettings>
      <!-- Application Title -->
      <add key="aTitolo" value="Apex Desktop by Beta Software snc" />
      <!-- Short application title -->
      <add key="aTitoloBreve" value="Apex Desktop" />
      <!-- Window height -->   
      <add key="aAltezza" value="960" />
      <!-- Window width-->
      <add key="aLarghezza" value="1200" />
      <!-- Close botton text -->
      <add key="aChiudi" value="Close" />
      <!-- Print botton text -->
      <add key="aStampa" value="Print" />
      <!-- Application icon-->
      <add key="aIcona" value="bsApex.ico" />
      <!-- Client -->
      <add key="aCliente" value="Apex Community" />
      <!-- Application address -->
      <add key="aIndirizzo" value="http://apex.oracle.com/pls/otn/f?p=23873:1" />
    </appSettings>
  </configuration>Run bsApex.exe, that's all.
  Regards,
  Gianluigi