1

I need to change cookies value of another domain, I know that we can not do it using javascript. Is it possible using servlet ?

I am trying like this but no success? were am I going wrong? I have two web application namly Cookies1 and Cookies2 deployed in one tomcat in localhost

Servlet of cookie1 application 

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        response.setContentType("text/html");
        PrintWriter pw = response.getWriter();

//      String Html = "<HTML><BODY>HI</body></html>";
//      pw.write(Html);

        Cookie cookie  =  new Cookie("__utmz", "Arvind");
        cookie.setDomain("http://localhost:8080/Cookie2");
        cookie.setPath("/");

        response.addCookie(cookie);

        //response.getWriter().write(Html);
    }

Servlet of cookie1 application 

protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        System.out.println("CookieSetDm.doGet()");
        Cookie[] cookies = request.getCookies();
        if (cookies != null) {
            for (int i = 0; i < cookies.length; i++) {
                System.out.println(cookies[i].getName() + " <> "+ cookies[i].getValue());
            }
        }
    }
Arvind
  • 1,207
  • 6
  • 27
  • 55

2 Answers2

3

You can't modify the cookies of one domain using a servlet or JavaScript hosted on another domain, for security reasons. See RFC 6265, section 4.1.2.3:

The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

But you can set a cookie in a servlet/script and then read/modify the cookie in another servlet/script on the same host. You can even read or modify a cookie set on a server running on one port on the same hostname/domain from a server running on another port at the same hostname/domain - so you can have Tomcat running on two different ports on the same server and exchange cookies between the two.

Note that you're calling setDomain incorrectly in the first example - this field of the cookie takes a domain name and not a full URL. So the call should look like this:

cookie.setDomain("localhost");

As the other answer notes, some browsers ignore cookies for localhost, so you may want to not set this field of the cookie at all - this has the effect of setting a cookie that will only be returned to the same host that set it (which most of the time is what you want).

Community
  • 1
  • 1
pobrelkey
  • 5,853
  • 20
  • 29
  • 1
    +1 for using a more current RFC. 6265 obsoletes 2965 obsoletes 2109. By the way, "localhost" is not a valid domain for a cookie (does not start with a dot and contain embedded dots), and some browsers can and will reject it. – Jason C Nov 20 '13 at 07:39
2

You can only do this between two domains that end with the same thing; e.g. you can set a cookie's domain to '.domain.com' so that 'x.domain.com' and 'y.domain.com' both have access to it. The cross-domain cookie rules are described in RFC 2109. In particular:

4.3.2 Rejecting Cookies

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The value for the Path attribute is not a prefix of the request-URI.

  • The value for the Domain attribute contains no embedded dots or does not start with a dot.

  • The value for the request-host does not domain-match the Domain attribute.

  • The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

Examples:

  • A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com would be rejected, because H is y.x and contains a dot.

  • A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted.

  • A Set-Cookie with Domain=.com or Domain=.com., will always be rejected, because there is no embedded dot.

  • A Set-Cookie with Domain=ajax.com will be rejected because the value for Domain does not begin with a dot.

As long as you are not violating the above rules, you are fine. Otherwise, browsers will reject the cookie.

It is worth noting that "localhost" does not fit into the above rules, and some browsers can and do reject cookies with a "localhost" domain.

Jason C
  • 38,729
  • 14
  • 126
  • 182