Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Read Cross-Domain (Cross-Sub-Domain) Cookies in ColdFusion (HTTPS)

I need to read a cookie created on https://sub1.domain.com from http://origin.domain.com using ColdFusion. I've seen a lot of info about how to create a cookie in a subdomain using CFCOOKIE, but I don't know how to access a cookie that already exists.

Will the HTTPS make this impossible anyway?

ADDENDUM: The checked answer below correctly addresses the question as worded above. In my case, it did not work. I should have explained: The cookie on sub1.domain.com is created by a hosted third party product - not written in coldfusion and not under my control.

like image 323
Brien Malone Avatar asked Dec 13 '11 23:12

Brien Malone


People also ask

Can you read cookies from subdomain?

That is, if the domain name in your cookie's domain parameter doesn't start with a period, then it will not let subdomains read that cookie. If it does start with the period, then all subdomains will have full access to that cookie's value. Can only be read by example.com.

Can we read cross domain cookies?

As we know that cookie set by one domain cannot be accessed by the another domain. But cookie set to main domain can be accessed by subdomains. Example: Cookie set to domain “maindomain.com” can be accessed by any sub domain of main domain, that is subdomain.maindomain.com, anysub.maindomain.com.

Can you share cookies across subdomains?

To share cookies across subdomains, you can simply create cookies with the domain directive set to the parent domain, in this case, example.com, rather than either of the specific subdomains.

Can you share cookies between domains?

To share a cookie between domains, you will need two domains, for example myserver.com and slave.com . One of the domains will issue the cookies and the other domain will ask the first domain what cookie should be issued to the client.


1 Answers

This is really quite easy. When you create the cookie, give it a domain attribute equal to your domain. The important part to remember is that it MUST have a leading dot.

<cfcookie name="mycookie" value="myvalue" domain=".mydomain.com" path="/" />

The leading dot tells the browser to send the cookie to any subdomain of mydomain.com which would include sub.mydomain.com and blah.mydomain.com.

You would then be able to access the cookie from any of the subdomains just as you would any other cookie:

<cfset thevalue = cookie.mycookie />

You should do this as a best practice to support older browsers.

Here is the statement from RFC2109: HTTP State Management Mechanisms that could affect older browsers

"To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if… The value for the Domain attribute contains no embedded dots or does not start with a dot."

I believe this is overridden by RFC 2965: HTTP State Management Mechanism which states

"Domain=value OPTIONAL. The value of the Domain attribute specifies the domain for which the cookie is valid. If an explicitly specified value does not start with a dot, the user agent supplies a leading dot."

Which explains why it might be working for you in, presumably, a modern browser. I would still suggest you add it.

like image 171
Jason Dean Avatar answered Oct 13 '22 04:10

Jason Dean