Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Session Cookie not accessible across Sub-Domains

Reply
Thread Tools

Session Cookie not accessible across Sub-Domains

 
 
=?Utf-8?B?RG91Zw==?=
Guest
Posts: n/a
 
      08-22-2005
An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
"search.mydomain.com"; hence, a new session and cookie are being created on
every sub-domain.

This is occuring because ASP.NET always sets the Session cookie domain to
the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g.
"mydomain.com")

The problem with this is when the visitor goes to a different sub-domain
(e.g. "search.mydomain.com"), this sub-domain can not access the previously
set Session cookie, and hence, has no idea a session has already been
created. Hence, a new session is created with a new cookie set to
"search.mydomain.com". Now the visitor has two session cookies pointing to
two different sub-domains.

For the past couple of years, I've gotten around this by manually creating a
"ASP.NET_SessionId" cookie pointing to the parent domain (e.g.
"mydomain.com"). That way, all sub-domains have access to the same cookie and
the same session ID. However, this is a hack; I end up with multiple session
cookies pointing to "www.mydomain", "search.mydomain.com", and
"mydomain.com"; not the best solution.

How can I tell ASP.NET to always set the Session cookie domain to
"mydomain.com" so all sub-domains can read it? My research over the past
couple of years tells me this is impossible. This seems to be a major bug
that many people experience, however, I've heard no word of a fix nor any
comment on it from Microsoft.

Doug
 
Reply With Quote
 
 
 
 
John Timney \(ASP.NET MVP\)
Guest
Posts: n/a
 
      08-22-2005
When initially setting the cookie

Response.Cookies("domain").Value = DateTime.Now.ToString
Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
Response.Cookies("domain").Domain = "mydomain.com"

.................should do the trick.

I think its case sensitive at the browser.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
> "search.mydomain.com"; hence, a new session and cookie are being created
> on
> every sub-domain.
>
> This is occuring because ASP.NET always sets the Session cookie domain to
> the full domain (e.g. "www.mydomain.com") instead of the parent domain
> (e.g.
> "mydomain.com")
>
> The problem with this is when the visitor goes to a different sub-domain
> (e.g. "search.mydomain.com"), this sub-domain can not access the
> previously
> set Session cookie, and hence, has no idea a session has already been
> created. Hence, a new session is created with a new cookie set to
> "search.mydomain.com". Now the visitor has two session cookies pointing to
> two different sub-domains.
>
> For the past couple of years, I've gotten around this by manually creating
> a
> "ASP.NET_SessionId" cookie pointing to the parent domain (e.g.
> "mydomain.com"). That way, all sub-domains have access to the same cookie
> and
> the same session ID. However, this is a hack; I end up with multiple
> session
> cookies pointing to "www.mydomain", "search.mydomain.com", and
> "mydomain.com"; not the best solution.
>
> How can I tell ASP.NET to always set the Session cookie domain to
> "mydomain.com" so all sub-domains can read it? My research over the past
> couple of years tells me this is impossible. This seems to be a major bug
> that many people experience, however, I've heard no word of a fix nor any
> comment on it from Microsoft.
>
> Doug



 
Reply With Quote
 
 
 
 
=?Utf-8?B?RG91Zw==?=
Guest
Posts: n/a
 
      08-22-2005
Hi John,
Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?

I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own. I
do know how to write cookies and set domains, etc. My question is, how do I
get ASP.NET to set the correct domain wherever it set its own cookie?

Thanks,
Doug


"John Timney (ASP.NET MVP)" wrote:

> When initially setting the cookie
>
> Response.Cookies("domain").Value = DateTime.Now.ToString
> Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
> Response.Cookies("domain").Domain = "mydomain.com"
>
> .................should do the trick.
>
> I think its case sensitive at the browser.
>
> --
> Regards
>
> John Timney
> ASP.NET MVP
> Microsoft Regional Director
>


 
Reply With Quote
 
John Timney \(ASP.NET MVP\)
Guest
Posts: n/a
 
      08-22-2005
sorry I misread your question (its late here!!).

You can't share sessions across domains, nor applications natively - so it
will always set a new cookie as you move between domains. Because you can
share cookies across those applications (and between those domains) one
approach is to store your shared data in a database and use a shared domain
cookie to identify the data in the database.

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi John,
> Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?
>
> I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own.
> I
> do know how to write cookies and set domains, etc. My question is, how do
> I
> get ASP.NET to set the correct domain wherever it set its own cookie?
>
> Thanks,
> Doug
>
>
> "John Timney (ASP.NET MVP)" wrote:
>
>> When initially setting the cookie
>>
>> Response.Cookies("domain").Value = DateTime.Now.ToString
>> Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
>> Response.Cookies("domain").Domain = "mydomain.com"
>>
>> .................should do the trick.
>>
>> I think its case sensitive at the browser.
>>
>> --
>> Regards
>>
>> John Timney
>> ASP.NET MVP
>> Microsoft Regional Director
>>

>



 
Reply With Quote
 
=?Utf-8?B?RG91Zw==?=
Guest
Posts: n/a
 
      08-23-2005
Hi John,
I wasn't referring to sharing sessions across parent domains (e.g.
"mydomain1.com" and "mydomain2.com"). I want to share sessions on sub-domains
of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
Regards,
Doug


"John Timney (ASP.NET MVP)" wrote:

> sorry I misread your question (its late here!!).
>
> You can't share sessions across domains, nor applications natively - so it
> will always set a new cookie as you move between domains. Because you can
> share cookies across those applications (and between those domains) one
> approach is to store your shared data in a database and use a shared domain
> cookie to identify the data in the database.
>
> --
> Regards
>
> John Timney
> ASP.NET MVP
> Microsoft Regional Director
>

 
Reply With Quote
 
John Timney \(ASP.NET MVP\)
Guest
Posts: n/a
 
      08-23-2005
I expect the problem would be the same. Asp.net bounds sessions and objects
within applications for security, so if your subdomains were not part of the
same web application then the session would not apply. The solution could
be to have a root application, with all your other applications hanging
under it as non application virtual directories - and then have something
like the isapi virtual hosting filter handle the domains, allowing the root
application to own the single session. I've never tried it myself though.
I would always see a sub-domain as a seperate application entirely, or why
would it be a sub-domain?

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi John,
> I wasn't referring to sharing sessions across parent domains (e.g.
> "mydomain1.com" and "mydomain2.com"). I want to share sessions on
> sub-domains
> of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
> Regards,
> Doug
>
>
> "John Timney (ASP.NET MVP)" wrote:
>
>> sorry I misread your question (its late here!!).
>>
>> You can't share sessions across domains, nor applications natively - so
>> it
>> will always set a new cookie as you move between domains. Because you
>> can
>> share cookies across those applications (and between those domains) one
>> approach is to store your shared data in a database and use a shared
>> domain
>> cookie to identify the data in the database.
>>
>> --
>> Regards
>>
>> John Timney
>> ASP.NET MVP
>> Microsoft Regional Director
>>



 
Reply With Quote
 
=?Utf-8?B?RG91Zw==?=
Guest
Posts: n/a
 
      08-23-2005
Well, the out-of-proc StateServer works just fine for sharing sessions across
sub-domains. Everything in ASP.NET allows for sharing sessions across
sub-domains; everything except this simple cookie issue.

Let me explain one of the reasons why I need sessions to be shared across
sub-domains:
I have a "www" server, and a "search" server. When a person signs in, the
HTML header at the top of every page shows a link to "Sign Out". This same
header is used on every page throughout the site; on both "www" and "search".
Based on the session, I know whether the person is signed in or not, and
whether to show the "Sign Out" link or not. The session needs to persist
across sub-domains; otherwise, when a person goes to the "search" server,
they wouldn't appear to be signed in any longer.

There are many real-world examples of why sessions need to be shared across
sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in across
"mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.

There are just so many examples of why a session would need to be shared
across sub-domains.

The ASP.NET StateServer natively supports sub-domains. The only issue is the
domain setting for the Session cookie. Instead of tying the cookie to
"www.mydomain.com", allow the cookie to be tied to "mydomain.com". That way,
all sub-domains can access the cookie and problem solved. People stay
signed-in across sub-domains; the same session can be accessed; etc.

Why not allow developers to share sessions across sub-domains if they need
to? It's an extremely simple feature to provide.

By the way, I implemented a fairly good fix/hack today. Put this code on
every page:
Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";

Those two lines of code rewrite the Session cookie so it's now accessible
across sub-domains.

My hope is that Microsoft will implement a web/machine.config param that
allows the Session cookie to be accessed across sub-domains.

Doug



"John Timney (ASP.NET MVP)" wrote:

> I expect the problem would be the same. Asp.net bounds sessions and objects
> within applications for security, so if your subdomains were not part of the
> same web application then the session would not apply. The solution could
> be to have a root application, with all your other applications hanging
> under it as non application virtual directories - and then have something
> like the isapi virtual hosting filter handle the domains, allowing the root
> application to own the single session. I've never tried it myself though.
> I would always see a sub-domain as a seperate application entirely, or why
> would it be a sub-domain?
>
> --
> Regards
>
> John Timney
> ASP.NET MVP
> Microsoft Regional Director
>
> "Doug" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi John,
> > I wasn't referring to sharing sessions across parent domains (e.g.
> > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
> > sub-domains
> > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
> > Regards,
> > Doug
> >
> >
> > "John Timney (ASP.NET MVP)" wrote:
> >
> >> sorry I misread your question (its late here!!).
> >>
> >> You can't share sessions across domains, nor applications natively - so
> >> it
> >> will always set a new cookie as you move between domains. Because you
> >> can
> >> share cookies across those applications (and between those domains) one
> >> approach is to store your shared data in a database and use a shared
> >> domain
> >> cookie to identify the data in the database.
> >>
> >> --
> >> Regards
> >>
> >> John Timney
> >> ASP.NET MVP
> >> Microsoft Regional Director
> >>

>
>
>

 
Reply With Quote
 
John Timney \(ASP.NET MVP\)
Guest
Posts: n/a
 
      08-23-2005
good hack - I'll remember that one

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

"Doug" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Well, the out-of-proc StateServer works just fine for sharing sessions
> across
> sub-domains. Everything in ASP.NET allows for sharing sessions across
> sub-domains; everything except this simple cookie issue.
>
> Let me explain one of the reasons why I need sessions to be shared across
> sub-domains:
> I have a "www" server, and a "search" server. When a person signs in, the
> HTML header at the top of every page shows a link to "Sign Out". This same
> header is used on every page throughout the site; on both "www" and
> "search".
> Based on the session, I know whether the person is signed in or not, and
> whether to show the "Sign Out" link or not. The session needs to persist
> across sub-domains; otherwise, when a person goes to the "search" server,
> they wouldn't appear to be signed in any longer.
>
> There are many real-world examples of why sessions need to be shared
> across
> sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in
> across
> "mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.
>
> There are just so many examples of why a session would need to be shared
> across sub-domains.
>
> The ASP.NET StateServer natively supports sub-domains. The only issue is
> the
> domain setting for the Session cookie. Instead of tying the cookie to
> "www.mydomain.com", allow the cookie to be tied to "mydomain.com". That
> way,
> all sub-domains can access the cookie and problem solved. People stay
> signed-in across sub-domains; the same session can be accessed; etc.
>
> Why not allow developers to share sessions across sub-domains if they need
> to? It's an extremely simple feature to provide.
>
> By the way, I implemented a fairly good fix/hack today. Put this code on
> every page:
> Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
> Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
>
> Those two lines of code rewrite the Session cookie so it's now accessible
> across sub-domains.
>
> My hope is that Microsoft will implement a web/machine.config param that
> allows the Session cookie to be accessed across sub-domains.
>
> Doug
>
>
>
> "John Timney (ASP.NET MVP)" wrote:
>
>> I expect the problem would be the same. Asp.net bounds sessions and
>> objects
>> within applications for security, so if your subdomains were not part of
>> the
>> same web application then the session would not apply. The solution
>> could
>> be to have a root application, with all your other applications hanging
>> under it as non application virtual directories - and then have something
>> like the isapi virtual hosting filter handle the domains, allowing the
>> root
>> application to own the single session. I've never tried it myself
>> though.
>> I would always see a sub-domain as a seperate application entirely, or
>> why
>> would it be a sub-domain?
>>
>> --
>> Regards
>>
>> John Timney
>> ASP.NET MVP
>> Microsoft Regional Director
>>
>> "Doug" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Hi John,
>> > I wasn't referring to sharing sessions across parent domains (e.g.
>> > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
>> > sub-domains
>> > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
>> > Regards,
>> > Doug
>> >
>> >
>> > "John Timney (ASP.NET MVP)" wrote:
>> >
>> >> sorry I misread your question (its late here!!).
>> >>
>> >> You can't share sessions across domains, nor applications natively -
>> >> so
>> >> it
>> >> will always set a new cookie as you move between domains. Because you
>> >> can
>> >> share cookies across those applications (and between those domains)
>> >> one
>> >> approach is to store your shared data in a database and use a shared
>> >> domain
>> >> cookie to identify the data in the database.
>> >>
>> >> --
>> >> Regards
>> >>
>> >> John Timney
>> >> ASP.NET MVP
>> >> Microsoft Regional Director
>> >>

>>
>>
>>



 
Reply With Quote
 
alaistair alaistair is offline
Junior Member
Join Date: Jul 2006
Posts: 1
 
      07-05-2006
been looking for something like this for the last 2 days....

very neat bit of code

Thanks again,

Al

http://www.aejis.com
http://www.rockmopeds.co.uk
 
Reply With Quote
 
Nariman Nariman is offline
Junior Member
Join Date: Oct 2007
Posts: 1
 
      10-02-2007
We're trying to get this to work for sub-domains using ASP.NET State Server. However, despite the cookie fix mentioned below, and despite the fact that both applications report the same Session.SessionID, we're seeing a discrepancy in the Session.Counts.

According to the articles below, it's a combination of the ApplicationID and SessionID that determine uniqueness. The articles seem to suggest that ASP.NET State Server cant be used for this reason, and that it requires a hack/fix to the SQL SPs to ensure that the ApplicationIDs are made to look the same.

Im wondering how it is that you got this to work with ASP.NET State Server, as that is clearly a preferred approach? We've even experimented with running the parent/child applications under same/different application pools to no avail.

[1]
http://blogs.msdn.com/toddca/archive...lications.aspx

[2]
http://www.rochester-consulting.com/...spx?EntryID=22

Quote:
Originally Posted by =?Utf-8?B?RG91Zw==?=
Well, the out-of-proc StateServer works just fine for sharing sessions across
sub-domains. Everything in ASP.NET allows for sharing sessions across
sub-domains; everything except this simple cookie issue.

Let me explain one of the reasons why I need sessions to be shared across
sub-domains:
I have a "www" server, and a "search" server. When a person signs in, the
HTML header at the top of every page shows a link to "Sign Out". This same
header is used on every page throughout the site; on both "www" and "search".
Based on the session, I know whether the person is signed in or not, and
whether to show the "Sign Out" link or not. The session needs to persist
across sub-domains; otherwise, when a person goes to the "search" server,
they wouldn't appear to be signed in any longer.

There are many real-world examples of why sessions need to be shared across
sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in across
"mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.

There are just so many examples of why a session would need to be shared
across sub-domains.

The ASP.NET StateServer natively supports sub-domains. The only issue is the
domain setting for the Session cookie. Instead of tying the cookie to
"www.mydomain.com", allow the cookie to be tied to "mydomain.com". That way,
all sub-domains can access the cookie and problem solved. People stay
signed-in across sub-domains; the same session can be accessed; etc.

Why not allow developers to share sessions across sub-domains if they need
to? It's an extremely simple feature to provide.

By the way, I implemented a fairly good fix/hack today. Put this code on
every page:
Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";

Those two lines of code rewrite the Session cookie so it's now accessible
across sub-domains.

My hope is that Microsoft will implement a web/machine.config param that
allows the Session cookie to be accessed across sub-domains.

Doug



"John Timney (ASP.NET MVP)" wrote:

> I expect the problem would be the same. Asp.net bounds sessions and objects
> within applications for security, so if your subdomains were not part of the
> same web application then the session would not apply. The solution could
> be to have a root application, with all your other applications hanging
> under it as non application virtual directories - and then have something
> like the isapi virtual hosting filter handle the domains, allowing the root
> application to own the single session. I've never tried it myself though.
> I would always see a sub-domain as a seperate application entirely, or why
> would it be a sub-domain?
>
> --
> Regards
>
> John Timney
> ASP.NET MVP
> Microsoft Regional Director
>
> "Doug" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi John,
> > I wasn't referring to sharing sessions across parent domains (e.g.
> > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
> > sub-domains
> > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
> > Regards,
> > Doug
> >
> >
> > "John Timney (ASP.NET MVP)" wrote:
> >
> >> sorry I misread your question (its late here!!).
> >>
> >> You can't share sessions across domains, nor applications natively - so
> >> it
> >> will always set a new cookie as you move between domains. Because you
> >> can
> >> share cookies across those applications (and between those domains) one
> >> approach is to store your shared data in a database and use a shared
> >> domain
> >> cookie to identify the data in the database.
> >>
> >> --
> >> Regards
> >>
> >> John Timney
> >> ASP.NET MVP
> >> Microsoft Regional Director
> >>

>
>
>
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
session cookie and presist cookie? =?Utf-8?B?amVycnkueHVkZGQ=?= ASP .Net 1 03-08-2006 12:16 AM
Cookie and Session Cookie Questions. Shapper ASP .Net 1 04-27-2005 11:20 AM
Session cookie? Browser instance cookie? Ben ASP .Net 3 06-03-2004 03:41 AM
Netscape : ASP Session variables across frames not accessible ? A Web Master ASP General 4 01-23-2004 08:59 PM
authentication cookie vs session cookie Joseph ASP .Net Security 4 08-12-2003 10:57 AM



Advertisments