Session Cookie not accessible across Sub-Domains

Discussion in 'ASP .Net' started by =?Utf-8?B?RG91Zw==?=, Aug 22, 2005.

  1. An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
    "search.mydomain.com"; hence, a new session and cookie are being created on
    every sub-domain.

    This is occuring because ASP.NET always sets the Session cookie domain to
    the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g.
    "mydomain.com")

    The problem with this is when the visitor goes to a different sub-domain
    (e.g. "search.mydomain.com"), this sub-domain can not access the previously
    set Session cookie, and hence, has no idea a session has already been
    created. Hence, a new session is created with a new cookie set to
    "search.mydomain.com". Now the visitor has two session cookies pointing to
    two different sub-domains.

    For the past couple of years, I've gotten around this by manually creating a
    "ASP.NET_SessionId" cookie pointing to the parent domain (e.g.
    "mydomain.com"). That way, all sub-domains have access to the same cookie and
    the same session ID. However, this is a hack; I end up with multiple session
    cookies pointing to "www.mydomain", "search.mydomain.com", and
    "mydomain.com"; not the best solution.

    How can I tell ASP.NET to always set the Session cookie domain to
    "mydomain.com" so all sub-domains can read it? My research over the past
    couple of years tells me this is impossible. This seems to be a major bug
    that many people experience, however, I've heard no word of a fix nor any
    comment on it from Microsoft.

    Doug
    =?Utf-8?B?RG91Zw==?=, Aug 22, 2005
    #1
    1. Advertising

  2. When initially setting the cookie

    Response.Cookies("domain").Value = DateTime.Now.ToString
    Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
    Response.Cookies("domain").Domain = "mydomain.com"

    .................should do the trick.

    I think its case sensitive at the browser.

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "Doug" <> wrote in message
    news:...
    > An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
    > "search.mydomain.com"; hence, a new session and cookie are being created
    > on
    > every sub-domain.
    >
    > This is occuring because ASP.NET always sets the Session cookie domain to
    > the full domain (e.g. "www.mydomain.com") instead of the parent domain
    > (e.g.
    > "mydomain.com")
    >
    > The problem with this is when the visitor goes to a different sub-domain
    > (e.g. "search.mydomain.com"), this sub-domain can not access the
    > previously
    > set Session cookie, and hence, has no idea a session has already been
    > created. Hence, a new session is created with a new cookie set to
    > "search.mydomain.com". Now the visitor has two session cookies pointing to
    > two different sub-domains.
    >
    > For the past couple of years, I've gotten around this by manually creating
    > a
    > "ASP.NET_SessionId" cookie pointing to the parent domain (e.g.
    > "mydomain.com"). That way, all sub-domains have access to the same cookie
    > and
    > the same session ID. However, this is a hack; I end up with multiple
    > session
    > cookies pointing to "www.mydomain", "search.mydomain.com", and
    > "mydomain.com"; not the best solution.
    >
    > How can I tell ASP.NET to always set the Session cookie domain to
    > "mydomain.com" so all sub-domains can read it? My research over the past
    > couple of years tells me this is impossible. This seems to be a major bug
    > that many people experience, however, I've heard no word of a fix nor any
    > comment on it from Microsoft.
    >
    > Doug
    John Timney \(ASP.NET MVP\), Aug 22, 2005
    #2
    1. Advertising

  3. Hi John,
    Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?

    I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own. I
    do know how to write cookies and set domains, etc. My question is, how do I
    get ASP.NET to set the correct domain wherever it set its own cookie?

    Thanks,
    Doug


    "John Timney (ASP.NET MVP)" wrote:

    > When initially setting the cookie
    >
    > Response.Cookies("domain").Value = DateTime.Now.ToString
    > Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
    > Response.Cookies("domain").Domain = "mydomain.com"
    >
    > .................should do the trick.
    >
    > I think its case sensitive at the browser.
    >
    > --
    > Regards
    >
    > John Timney
    > ASP.NET MVP
    > Microsoft Regional Director
    >
    =?Utf-8?B?RG91Zw==?=, Aug 23, 2005
    #3
  4. sorry I misread your question (its late here!!).

    You can't share sessions across domains, nor applications natively - so it
    will always set a new cookie as you move between domains. Because you can
    share cookies across those applications (and between those domains) one
    approach is to store your shared data in a database and use a shared domain
    cookie to identify the data in the database.

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "Doug" <> wrote in message
    news:...
    > Hi John,
    > Thank you for the reply. I'm not sure I understand; or perhaps vice-versa?
    >
    > I don't set the ASP.NET Session cookie. ASP.NET does that all on it's own.
    > I
    > do know how to write cookies and set domains, etc. My question is, how do
    > I
    > get ASP.NET to set the correct domain wherever it set its own cookie?
    >
    > Thanks,
    > Doug
    >
    >
    > "John Timney (ASP.NET MVP)" wrote:
    >
    >> When initially setting the cookie
    >>
    >> Response.Cookies("domain").Value = DateTime.Now.ToString
    >> Response.Cookies("domain").Expires = DateTime.Now.AddDays(1)
    >> Response.Cookies("domain").Domain = "mydomain.com"
    >>
    >> .................should do the trick.
    >>
    >> I think its case sensitive at the browser.
    >>
    >> --
    >> Regards
    >>
    >> John Timney
    >> ASP.NET MVP
    >> Microsoft Regional Director
    >>

    >
    John Timney \(ASP.NET MVP\), Aug 23, 2005
    #4
  5. Hi John,
    I wasn't referring to sharing sessions across parent domains (e.g.
    "mydomain1.com" and "mydomain2.com"). I want to share sessions on sub-domains
    of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
    Regards,
    Doug


    "John Timney (ASP.NET MVP)" wrote:

    > sorry I misread your question (its late here!!).
    >
    > You can't share sessions across domains, nor applications natively - so it
    > will always set a new cookie as you move between domains. Because you can
    > share cookies across those applications (and between those domains) one
    > approach is to store your shared data in a database and use a shared domain
    > cookie to identify the data in the database.
    >
    > --
    > Regards
    >
    > John Timney
    > ASP.NET MVP
    > Microsoft Regional Director
    >
    =?Utf-8?B?RG91Zw==?=, Aug 23, 2005
    #5
  6. I expect the problem would be the same. Asp.net bounds sessions and objects
    within applications for security, so if your subdomains were not part of the
    same web application then the session would not apply. The solution could
    be to have a root application, with all your other applications hanging
    under it as non application virtual directories - and then have something
    like the isapi virtual hosting filter handle the domains, allowing the root
    application to own the single session. I've never tried it myself though.
    I would always see a sub-domain as a seperate application entirely, or why
    would it be a sub-domain?

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "Doug" <> wrote in message
    news:...
    > Hi John,
    > I wasn't referring to sharing sessions across parent domains (e.g.
    > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
    > sub-domains
    > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
    > Regards,
    > Doug
    >
    >
    > "John Timney (ASP.NET MVP)" wrote:
    >
    >> sorry I misread your question (its late here!!).
    >>
    >> You can't share sessions across domains, nor applications natively - so
    >> it
    >> will always set a new cookie as you move between domains. Because you
    >> can
    >> share cookies across those applications (and between those domains) one
    >> approach is to store your shared data in a database and use a shared
    >> domain
    >> cookie to identify the data in the database.
    >>
    >> --
    >> Regards
    >>
    >> John Timney
    >> ASP.NET MVP
    >> Microsoft Regional Director
    >>
    John Timney \(ASP.NET MVP\), Aug 23, 2005
    #6
  7. Well, the out-of-proc StateServer works just fine for sharing sessions across
    sub-domains. Everything in ASP.NET allows for sharing sessions across
    sub-domains; everything except this simple cookie issue.

    Let me explain one of the reasons why I need sessions to be shared across
    sub-domains:
    I have a "www" server, and a "search" server. When a person signs in, the
    HTML header at the top of every page shows a link to "Sign Out". This same
    header is used on every page throughout the site; on both "www" and "search".
    Based on the session, I know whether the person is signed in or not, and
    whether to show the "Sign Out" link or not. The session needs to persist
    across sub-domains; otherwise, when a person goes to the "search" server,
    they wouldn't appear to be signed in any longer.

    There are many real-world examples of why sessions need to be shared across
    sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in across
    "mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.

    There are just so many examples of why a session would need to be shared
    across sub-domains.

    The ASP.NET StateServer natively supports sub-domains. The only issue is the
    domain setting for the Session cookie. Instead of tying the cookie to
    "www.mydomain.com", allow the cookie to be tied to "mydomain.com". That way,
    all sub-domains can access the cookie and problem solved. People stay
    signed-in across sub-domains; the same session can be accessed; etc.

    Why not allow developers to share sessions across sub-domains if they need
    to? It's an extremely simple feature to provide.

    By the way, I implemented a fairly good fix/hack today. Put this code on
    every page:
    Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
    Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";

    Those two lines of code rewrite the Session cookie so it's now accessible
    across sub-domains.

    My hope is that Microsoft will implement a web/machine.config param that
    allows the Session cookie to be accessed across sub-domains.

    Doug



    "John Timney (ASP.NET MVP)" wrote:

    > I expect the problem would be the same. Asp.net bounds sessions and objects
    > within applications for security, so if your subdomains were not part of the
    > same web application then the session would not apply. The solution could
    > be to have a root application, with all your other applications hanging
    > under it as non application virtual directories - and then have something
    > like the isapi virtual hosting filter handle the domains, allowing the root
    > application to own the single session. I've never tried it myself though.
    > I would always see a sub-domain as a seperate application entirely, or why
    > would it be a sub-domain?
    >
    > --
    > Regards
    >
    > John Timney
    > ASP.NET MVP
    > Microsoft Regional Director
    >
    > "Doug" <> wrote in message
    > news:...
    > > Hi John,
    > > I wasn't referring to sharing sessions across parent domains (e.g.
    > > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
    > > sub-domains
    > > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
    > > Regards,
    > > Doug
    > >
    > >
    > > "John Timney (ASP.NET MVP)" wrote:
    > >
    > >> sorry I misread your question (its late here!!).
    > >>
    > >> You can't share sessions across domains, nor applications natively - so
    > >> it
    > >> will always set a new cookie as you move between domains. Because you
    > >> can
    > >> share cookies across those applications (and between those domains) one
    > >> approach is to store your shared data in a database and use a shared
    > >> domain
    > >> cookie to identify the data in the database.
    > >>
    > >> --
    > >> Regards
    > >>
    > >> John Timney
    > >> ASP.NET MVP
    > >> Microsoft Regional Director
    > >>

    >
    >
    >
    =?Utf-8?B?RG91Zw==?=, Aug 23, 2005
    #7
  8. good hack - I'll remember that one :)

    --
    Regards

    John Timney
    ASP.NET MVP
    Microsoft Regional Director

    "Doug" <> wrote in message
    news:...
    > Well, the out-of-proc StateServer works just fine for sharing sessions
    > across
    > sub-domains. Everything in ASP.NET allows for sharing sessions across
    > sub-domains; everything except this simple cookie issue.
    >
    > Let me explain one of the reasons why I need sessions to be shared across
    > sub-domains:
    > I have a "www" server, and a "search" server. When a person signs in, the
    > HTML header at the top of every page shows a link to "Sign Out". This same
    > header is used on every page throughout the site; on both "www" and
    > "search".
    > Based on the session, I know whether the person is signed in or not, and
    > whether to show the "Sign Out" link or not. The session needs to persist
    > across sub-domains; otherwise, when a person goes to the "search" server,
    > they wouldn't appear to be signed in any longer.
    >
    > There are many real-world examples of why sessions need to be shared
    > across
    > sub-domains. e.g. Yahoo uses a single sign-on and you stay signed-in
    > across
    > "mail.yessy.com", "shopping.yahoo.com", "music.yahoo.com", etc.
    >
    > There are just so many examples of why a session would need to be shared
    > across sub-domains.
    >
    > The ASP.NET StateServer natively supports sub-domains. The only issue is
    > the
    > domain setting for the Session cookie. Instead of tying the cookie to
    > "www.mydomain.com", allow the cookie to be tied to "mydomain.com". That
    > way,
    > all sub-domains can access the cookie and problem solved. People stay
    > signed-in across sub-domains; the same session can be accessed; etc.
    >
    > Why not allow developers to share sessions across sub-domains if they need
    > to? It's an extremely simple feature to provide.
    >
    > By the way, I implemented a fairly good fix/hack today. Put this code on
    > every page:
    > Response.Cookies["ASP.NET_SessionId"].Value = Session.SessionID;
    > Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
    >
    > Those two lines of code rewrite the Session cookie so it's now accessible
    > across sub-domains.
    >
    > My hope is that Microsoft will implement a web/machine.config param that
    > allows the Session cookie to be accessed across sub-domains.
    >
    > Doug
    >
    >
    >
    > "John Timney (ASP.NET MVP)" wrote:
    >
    >> I expect the problem would be the same. Asp.net bounds sessions and
    >> objects
    >> within applications for security, so if your subdomains were not part of
    >> the
    >> same web application then the session would not apply. The solution
    >> could
    >> be to have a root application, with all your other applications hanging
    >> under it as non application virtual directories - and then have something
    >> like the isapi virtual hosting filter handle the domains, allowing the
    >> root
    >> application to own the single session. I've never tried it myself
    >> though.
    >> I would always see a sub-domain as a seperate application entirely, or
    >> why
    >> would it be a sub-domain?
    >>
    >> --
    >> Regards
    >>
    >> John Timney
    >> ASP.NET MVP
    >> Microsoft Regional Director
    >>
    >> "Doug" <> wrote in message
    >> news:...
    >> > Hi John,
    >> > I wasn't referring to sharing sessions across parent domains (e.g.
    >> > "mydomain1.com" and "mydomain2.com"). I want to share sessions on
    >> > sub-domains
    >> > of the same domain (e.g. "www.mydomain.com" and "search.mydomain.com").
    >> > Regards,
    >> > Doug
    >> >
    >> >
    >> > "John Timney (ASP.NET MVP)" wrote:
    >> >
    >> >> sorry I misread your question (its late here!!).
    >> >>
    >> >> You can't share sessions across domains, nor applications natively -
    >> >> so
    >> >> it
    >> >> will always set a new cookie as you move between domains. Because you
    >> >> can
    >> >> share cookies across those applications (and between those domains)
    >> >> one
    >> >> approach is to store your shared data in a database and use a shared
    >> >> domain
    >> >> cookie to identify the data in the database.
    >> >>
    >> >> --
    >> >> Regards
    >> >>
    >> >> John Timney
    >> >> ASP.NET MVP
    >> >> Microsoft Regional Director
    >> >>

    >>
    >>
    >>
    John Timney \(ASP.NET MVP\), Aug 23, 2005
    #8
  9. =?Utf-8?B?RG91Zw==?=

    alaistair

    Joined:
    Jul 5, 2006
    Messages:
    1
    alaistair, Jul 5, 2006
    #9
  10. =?Utf-8?B?RG91Zw==?=

    Nariman

    Joined:
    Oct 2, 2007
    Messages:
    1
    What about ApplicationID?

    We're trying to get this to work for sub-domains using ASP.NET State Server. However, despite the cookie fix mentioned below, and despite the fact that both applications report the same Session.SessionID, we're seeing a discrepancy in the Session.Counts.

    According to the articles below, it's a combination of the ApplicationID and SessionID that determine uniqueness. The articles seem to suggest that ASP.NET State Server can’t be used for this reason, and that it requires a hack/fix to the SQL SPs to ensure that the ApplicationIDs are made to look the same.

    I’m wondering how it is that you got this to work with ASP.NET State Server, as that is clearly a preferred approach? We've even experimented with running the parent/child applications under same/different application pools to no avail.

    [1] –
    http://blogs.msdn.com/toddca/archiv...sp-net-session-state-across-applications.aspx

    [2] –
    http://www.rochester-consulting.com/german gachevski.aspx?EntryID=22

    Nariman, Oct 2, 2007
    #10
  11. =?Utf-8?B?RG91Zw==?=

    chirdeep

    Joined:
    Jun 20, 2008
    Messages:
    1
    will it work on diff IIS servers as well

    I have a situation where subsites are on different servers as in different machines.

    Will i still be able to share cookie data.

    www.example.com

    subdomain themaster.example.com
    another domain theslave.example.com

    if the user logs in from any of the websites. Can all of them share the cookie.
    Last edited: Jun 20, 2008
    chirdeep, Jun 20, 2008
    #11
  12. =?Utf-8?B?RG91Zw==?=

    alecl

    Joined:
    Jun 23, 2008
    Messages:
    1
    Problem with Approach "...Domain = .mydomain.com"

    I cannot get Doug's 'hack' to work and I’d really like some advice in about what I'm doing wrong. I've tried adding it to my Master Page and also within instances but no luck. My Session.SessionId is the same across subdomains but I can't share session objects (like Session["Example"]).

    1. Does the session mode have to be out-of-proc or can it remain inproc? Mine is currently inproc with cookieless=false
    2. Do I have to add any other code other than these two lines?
    3. Can these lines of code be added somewhere like Page_Load or do they have to go in a special method EndRequest or Page_Unload?

    Thanks
    Alec


    alecl, Jun 23, 2008
    #12
  13. =?Utf-8?B?RG91Zw==?=

    zubairmasoodi

    Joined:
    Apr 30, 2009
    Messages:
    1
    Hi Doug

    Can you please let me know how did you solved this problem. i have been looking along three days on internet to solve this menace but to no avail. also if possible for you please give me your email, so that i can communicate to you.

    Thanks
    zubairmasoodi, Apr 30, 2009
    #13
  14. =?Utf-8?B?RG91Zw==?=

    tewehner

    Joined:
    Jul 3, 2009
    Messages:
    1
    Here is a solution I have used in the past that at least alleviated the need to add code to every page:

    In the Global.asax file:

    void Application_EndRequest(object sender, EventArgs e)
    {
    if (Response.Cookies["ASP.NET_SessionId"] != null)
    {
    Response.Cookies["ASP.NET_SessionId"].Domain = ".mydomain.com";
    }
    }
    tewehner, Jul 3, 2009
    #14
  15. =?Utf-8?B?RG91Zw==?=

    anilchanna

    Joined:
    Nov 6, 2009
    Messages:
    1
    Hi,

    We have tried the same approach suggested by you in one of our application. But the problem is that it is working fine locally at my computer but not on our production server. Is there some other setting I am missing? Could you please suggest some solution?

    It is bit urgent. Can you please give me a quick suggestion?

    Thanks in advance.

    Anil
    anilchanna, Nov 6, 2009
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Suresh

    Sharing session across the domains

    Suresh, Dec 10, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    427
    Suresh
    Dec 10, 2004
  2. =?Utf-8?B?Um9iZXJ0IEJ1cmRpY2sgW2VNVlBd?=

    Maintain Session State Across Domains

    =?Utf-8?B?Um9iZXJ0IEJ1cmRpY2sgW2VNVlBd?=, Apr 28, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    647
    =?Utf-8?B?UmljaA==?=
    Apr 29, 2005
  3. guoqi zheng

    share same session across sub domains.

    guoqi zheng, Jun 13, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    504
    Brock Allen
    Jun 13, 2005
  4. Mr.Magic
    Replies:
    4
    Views:
    1,122
    Gregory A. Beamer
    Jul 19, 2009
  5. A Web Master
    Replies:
    4
    Views:
    158
    Evertjan.
    Jan 23, 2004
Loading...

Share This Page