Menu
I'm using Java 8, Wildfly 11, Spring 4 and Apache 2.4. I have this Java code that sets the session cookie
cookie = new Cookie(SESSION_ID_KEY, sessionId);
...
final String domain = request.getServerName().indexOf(".") == -1 ? request.getServerName() : request.getServerName().substring(request.getServerName().indexOf(".") + 1, request.getServerName().length());
if (!StringUtils.equals(domain, "localhost") && !isIpAddress)
{
cookie.setDomain(domain.indexOf('.') > -1 ? "." + domain : domain);
} // if
final String contextPath = request.getContextPath() != null && request.getContextPath().endsWith("/") ? request.getContextPath().substring(0, request.getContextPath().length() - 1): request.getContextPath();
cookie.setPath(contextPath);
System.out.println("setting domain " + domain + " and context path:" + contextPath);
response.addCookie(cookie);
I'm noticing in my browser this cookie isn't getting created. Then I looked in Postman, and noticed that the cookies weren't getting created, although I see these response headers ...
Set-Cookie →MY.SESSION.ID=10c25010534c4dd3900851ec1dfaebeb; path=/context; domain=.compute-1.amazonaws.com
Set-Cookie →closeTrialNoteDialog=""; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
It would seem that when a cookie isn't created, the response header still contains this Set-Cookie header. I can't tell what's wrong with either of the above, though, that would prevent the cookie from getting created. Any insight is appreciated,
580
Just set the Set-Cookie header in the response from the server side code. The browser should save it automatically. As a developer, you may be able to inspect the value of the cookies using "Developer Tools". And the same cookie will be sent in subsequent requests to the same domain, until the cookie expires.
The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.
The HTTP header Set-Cookie is a response header and used to send cookies from the server to the user agent.
To send cookies to the server, you need to add the "Cookie: name=value" header to your request. To send multiple Cookies in one cookie header, you can separate them with semicolons. In this Send Cookies example, we are sending HTTP cookies to the ReqBin echo URL.
Cookie domains must be Private Domains, specific to your organization, not Public Domains, used by many organizations.
In this case, the AWS domain you are using, .compute-1.amazonaws.com, isn't being set because browsers consider this to be a Public Domain, specifically known as "Effective Top Level Domain (eTLD)", "Extended Top Level Domain", and "Public Suffix". Common top level domains (TLD) include "generic TLDs" (gTLD) like .com, .net and .org and "country-code TLDs" (ccTLD) like .us and .uk. With the public cloud, browsers now also consider popular shared, cloud domains to be "effective TLDs" including a number of domains from AWS such as the one you are attempting to use.
To set your cookie, you will need to set your cookie domain to a private domain, what Google calls "Effective Top Level Domain plus one" (eTLD+1) which means your Effective Top Level Domain plus one subdomain, e.g. your entire fully-qualified hostname in this instance - ec2-27-123-206-78.compute-1.amazonaws.com. Microsoft uses the term "Public Suffix plus one" (PS+1) for the same requirement.
Mozilla Foundation Reasoning for Excluding eTLD / Public Suffix
- Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes
- Highlight the most important part of a domain name in the user interface
- Accurately sort history entries by site
Microsoft Reasoning for Excluding eTLD / Public Suffix
When setting a cookie, a website may specify which hosts the cookie should be sent to using the domain attribute. The browser must block attempts to set a cookie where the domain attribute does not end with the current page’s Private Domain. Failure to do so results in privacy and security concerns.
- Privacy: Allowing unrelated domains to share cookies can result in “super-cookies”-- cookies which are sent to multiple unrelated organizations that happen to share a Public Suffix.
- Security: Session-fixation attacks, where a good site and an evil site share a Public Suffix, and the evil site sets a malicious cookie on the Public Suffix so that the Good site is sent the evil cookie.
Google Chromium / Chrome Behavior
Google indicates Chromium (and thus Chrome) stores cookies using "eTLD+1" in the description of its CookieMonster class.
The central data structure of a CookieMonster is the cookies_ member, which is a multimap (multiple values allowed for a single key) from a domain to some set of cookies. Each cookie is represented by a CanonicalCookie(), which contains all of the information that can be specified in a cookie (see diagram and RFC 2695). When set, cookies are placed into this data structure, and retrieval involves searching this data structure. The key to this data structure is the most inclusive domain (shortest dot delimited suffix) of the cookie domain that does not name a domain registrar (i.e. "google.com" or "bbc.co.uk", but not "co.uk" or "com"). This is also known as the Effective Top Level Domain plus one, or eTLD+1, for short.
List of Domains including amazonaws.com
You can see the list of effective top level domains used by Firefox in it's source code published on Mozilla's PublicSuffix.org. The Google CookieMonster page references PublicSuffix.org as well. This list includes a number of AWS domains including the one you are attempting to use for EC2, submitted by Amazon.
// Amazon Elastic Compute Cloud : https://aws.amazon.com/ec2/
// Submitted by Luke Wells <[email protected]>
*.compute.amazonaws.com
*.compute-1.amazonaws.com
*.compute.amazonaws.com.cn
us-east-1.amazonaws.com
Note: I just noticed saurav kumar posted the Mozilla links to this in a comment.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
