Re: Session Cookie not accessible across Sub-Domains

Well, the out-of-proc StateServer works just fine for sharing sessions across
sub-domains. Everything in ASP.NET allows for sharing sessions across
sub-domains; everything except this simple cookie issue.

Let me explain one of the reasons why I need sessions to be shared across
sub-domains:
I have a "www" server, and a "search" server. When a person signs in, the
HTML header at the top of every page shows a link to "Sign Out". This same
header is used on every page throughout the site; on both "www" and "search".
Based on the session, I know whether the person is signed in or not, and
whether to show the "Sign Out" link or not. The session needs to persist
across sub-domains; otherwise, when a person goes to the "search" server,
they wouldn't appear to be signed in any longer.

There are many real-world examples of why sessions need to be shared across
sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in across
"mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.

There are just so many examples of why a session would need to be shared
across sub-domains.

The ASP.NET StateServer natively supports sub-domains. The only issue is the
domain setting for the Session cookie. Instead of tying the cookie to
"www.mydomain.com", allow the cookie to be tied to "mydomain.com". That way,
all sub-domains can access the cookie and problem solved. People stay
signed-in across sub-domains; the same session can be accessed; etc.

Why not allow developers to share sessions across sub-domains if they need
to? It's an extremely simple feature to provide.

By the way, I implemented a fairly good fix/hack today. Put this code on
every page:
Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";

Those two lines of code rewrite the Session cookie so it's now accessible
across sub-domains.

My hope is that Microsoft will implement a web/machine.config param that
allows the Session cookie to be accessed across sub-domains.

Doug



"John Timney (ASP.NET MVP)" wrote:

> I expect the problem would be the same. Asp.net bounds sessions and objects
> within applications for security, so if your subdomains were not part of the
> same web application then the session would not apply. The solution could
> be to have a root application, with all your other applications hanging
> under it as non application virtual directories - and then have something
> like the isapi virtual hosting filter handle the domains, allowing the root
> application to own the single session. I've never tried it myself though.
> I would always see a sub-domain as a seperate application entirely, or why
> would it be a sub-domain?
>
> --
> Regards
>
> John Timney
> ASP.NET MVP
> Microsoft Regional Director
>
> "Doug" <Doug@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:BD97499C-A4EB-4E95-9165-8756E24EF92A@xxxxxxxxxxxxxxxx
> > Hi John,
> > I wasn't referring to sharing sessions across parent domains (e.g.
> > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
> > sub-domains
> > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
> > Regards,
> > Doug
> >
> >
> > "John Timney (ASP.NET MVP)" wrote:
> >
> >> sorry I misread your question (its late here!!).
> >>
> >> You can't share sessions across domains, nor applications natively - so
> >> it
> >> will always set a new cookie as you move between domains. Because you
> >> can
> >> share cookies across those applications (and between those domains) one
> >> approach is to store your shared data in a database and use a shared
> >> domain
> >> cookie to identify the data in the database.
> >>
> >> --
> >> Regards
> >>
> >> John Timney
> >> ASP.NET MVP
> >> Microsoft Regional Director
> >>
>
>
>
.

Relevant Pages

  • Re: Session Cookie not accessible across Sub-Domains
    ... Everything in ASP.NET allows for sharing sessions across ... > sub-domains; everything except this simple cookie issue. ... The session needs to persist ... > Those two lines of code rewrite the Session cookie so it's now accessible ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Sessions vs Cookies
    ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
    (comp.lang.php)
  • Re: session wont timeout
    ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Is it safe to store user_id in Session?
    ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
    (comp.lang.php)
  • Chicken and egg issue with Cookie based login?
    ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
    (comp.security.misc)