Domain level session cookie on multiple domains

Question

If you want ColdFusion to create your session cookie as a domain level cookie e.g. .bar.com rather than foo.bar.com then you can configure that in the jrun-web.xml:-

<session-config>    
   <cookie-config>
          <active>true</active>
          <cookie-domain>.bar.com</cookie-domain>
   </cookie-config>
  <persistence-config>
    <active>false</active>
  </persistence-config>
</session-config>

However, this is an instance wide setting so if you want to run two applications on that instance or indeed one application with or more different top-level domains then one of them will have sessions that do not work.

Is there a way to add multiple domains to the jrun-web.xml and have it pick the relevant one?

Thanks.

score 2 · Answer 1 · answered Jul 03 '13 at 09:56

I managed to find the DTD for jrun-web.xml (the link @ the top points to a defunct Macromedia URL).

This specifies that there can be only one <cookie-domain> node in the XML. I've also tested a list of domain names, eg:

<cookie-domain>.domainA.com,.domainB.com</cookie-domain>

And that doesn't work either.

Not an absolute answer, but I suspect that it's possibly not possible (!), and it's certainly not possible via jrun-web.xml (which I guess answers one of your questions at least).

score 0 · Answer 2 · edited Feb 15 '12 at 22:01

0

I think you could use <CFHEADER> to set domain cookies instead of <CFCOOKIE>?

edited Feb 15 '12 at 22:01

DaveShaw

52,123
16
112
141

answered Feb 15 '12 at 16:36

Tero Pikala

1

I would be surprised if you could use CFHEADER to manipulate the cookies that were created by cfapplication. Maybe post an example you've seen work? – Jake Feasel Feb 16 '12 at 19:42

score 0 · Answer 3 · answered Feb 15 '12 at 17:17

0

<cfapplication
   setdomaincookies=yes
   .....>

This will set your cfid and cftoken cookies as domain cookies (*.bar.com) rather than the host-specific values (foo.bar.com).

CFApplication (see the section on setDomainCookies)

answered Feb 15 '12 at 17:17

Jake Feasel

16,785
5
53
66

this only affects CFID and CFTOKEN sadly. We are using J2EE sessions which are unaffected by this setting. – baynezy Feb 24 '12 at 11:48

score -1 · Answer 4 · answered Feb 15 '12 at 13:59

I think if you name your application with the cgi.server_name variable, and each of your sites uses the same application.cfc or application.cfm file, then your session and cookie variables will be properly scoped for each individual site. For example:

<cfapplication name="#cgi.server_name#" sessionmanagement="YES" clientmanagement="YES" sessiontimeout="#CreateTimeSpan(1,0,0,0)#" applicationtimeout="#CreateTimeSpan(1,0,0,0)#"  clientstorage="COOKIE" setclientcookies="YES">

Domain level session cookie on multiple domains

4 Answers4

Linked