How do you create a browser cookie that persists to a different domain?

Jeff Hubbach

I have server1 and server2( Note: I have no control over server2 and it's a cgi server.

Server1 creates a request to server2. In response, server2 feeds back an html page with the headers

I display the html to the browser via the OutputStream. Also I obtain the response headers and attempt to relay it back to the browser. Here is the relay cookie I'm attempting to create for the next request Note: USER1 is obtained from server2's response

Cookie aCookie1 = new Cookie("_user", USER1); 
aCookie1.setDomain("");  //to server2

The next request will be towards server2 but for some reason the cookie doesn't exist in the request even though I created one for that domain on the response before it.

Please don't ask why I'm going through all this trouble of relaying back and forth between 2 servers. I realize a simple POST method from the browser/html would work just fine, but that couldn't be in this case.

Look at section 4.3.2 of RFC 2109, linked below. It states that a cookie is rejected if the following is true:
- The value for the request-host does not domain-match the Domain attribute.

What that means is that you can't set a cookie for a different domain than is being accessed. NOTE: you _can_ set a cookie that will get sent to all subdomains, ie www.foo.com and secure.foo.com, but you _can't_ set a cookie on a page requested from foo.com to be sent to a server in the bar.com domain.

0 Comments  (click to add your comment)
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



About | Sitemap | Contact