0

I have an application that forwards request to a secure domain on any wickets page that is marked with @RequireHttps.

I am also appending a session ID to the URL in order to keep the sessionData on the secure URL.

I am listening for any session, and then replcing the sessionID in the cookie with the one passed in.

I have tested my logic locally using the same domain for secure and non secure, the cookie gets overwritten with whatever i pass in as the session.

however, when i pass in the session data to my URL to a different domain it doesnt work. 

secure.example.com/?username=testuser&session=xxxxxxxx

I get a blank page.

It seems that there is no cookie being generated when i forward to the new URL. It seems to be i need to create a new session for the new URL, and then replace the session ID in the new cookie.

How can I force the application to g

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
Fergal
  • 43
  • 4

1 Answers1

1

Regarding cookies:

A cookie is scoped by its name, a domain and a path within this domain (for more please see RFC-6265, 4.1.2.3. The Domain Attribute).

So generally, you can set a scope of a cookie to a domain (or to subdomains of the domain) but not cross domain (outside of the domain of the origin server). Witihin your test domain it worked (which is OK), and between different domains it did not work (which is OK, too).

But it's not clear from your question if the "different domain" is a subdomain of a domain you own, or it is a completely new domain. If it is the former you can set a cookie domain to something like .example.com and such cookie should work across all subdomains within the domain example.com.

Community
  • 1
  • 1
grlicky
  • 46
  • 2
  • Hi thanks for the answer, Unfortunately its a different domain i need to send it to, one thats shared for secure connections but that will forward my requests back to the original server. So im going from www.example.com to secure.example2.com – Fergal Dec 22 '11 at 09:11