2

I am working on java web application, which works mainly dependent on cookies. As far as i know cookies are created based on the host.Our application will be hosted on a cloud and intranet as well. Here the following is my requirement. I have two instances of my applications running on the same machine and i want to access my application in the same browser. I have accessed the application which are running on two instances with different port numbers in the same browser like below: 1st instance: http://192.234.45.80:8081/myApp 2nd instance:http://192.234.45.80:8082/myApp Since my application from both the instances is running in the same browser, the cookies are created for the 1st instance application will be overwritten by 2nd instance application.The default behaviour of cookie is created under host.but for the above requirement i want to create cookies based on "host and port number", so that the session cookie will be unique.

My Questions: 1) Can i create cookies with "host+portnumber" instead of only host? 2) If this requrement is against security policies, what are security issues i will face? 3) Suppose if there is way to create cookies based on "host+portnumber",how to take care of configuration when i host on the cloud to support DNS(Domain name pointing to the ipaddress+portnumber)?

M.S.Naidu
  • 2,239
  • 5
  • 32
  • 56

1 Answers1

0

Even if your server manages session id considering "host+portnumber" it is all upto browsers to honor it . Look for this thread Are HTTP cookies port specific?.

For cloud, Strong suggestion is to get different domains for different apps. Maybe you can go for wildcard domain so that keep creating sub domains which means you can get *.wildcard.com DN and keep creating sub domains as one.widlcard.com , two.widlcard.com and so on and each sub domain can host your apps but they also have risks listed here https://casecurity.org/2014/02/26/pros-and-cons-of-single-domain-multi-domain-and-wildcard-certificates/ Good thing about sub domain is for your case cookie will be handled differently for each sub domain i.e browser will treat each sub domain as different domain

Community
  • 1
  • 1
vasa.v03
  • 147
  • 2
  • 12
  • Hello@vasa, As per your suggestion, I understood that it is possible to create cookies based on hostname and port. Tell me if i am wrong. Will it work on all the browsers. – M.S.Naidu Aug 24 '15 at 08:08
  • I think NO ... Most browsers will follow most RFC standards but we cannot rely on it .. I think for a cloud solution , running a same app on different ports even different app on different ports does not make sense unless you plan to do hosting like rackspace or godaddy . if you want to load balance then suggest to create different VMs and run app on each VM .. – vasa.v03 Aug 24 '15 at 10:33
  • I though i could create cookie by using an api in cookie(setDomain(ipaddrr+port)), but that API is not meant for setting numbers, it is only accepting strings(domain names.), after that i came to know that there is no solutions to create cookie like this. Please respond if i am wrong – M.S.Naidu Aug 24 '15 at 10:47
  • You can still create by ipaddrr+port as String the question is will all browsers honor it ?? which i think NO or not reliable – vasa.v03 Aug 24 '15 at 10:50
  • may i know, is there is any API to create cookie like that? – M.S.Naidu Aug 24 '15 at 10:51
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/87768/discussion-between-m-s-naidu-and-vasa-v03). – M.S.Naidu Aug 24 '15 at 10:52