my dog learned polymorphism
The moose likes Servlets and the fly likes Cookies across multiple domains Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Cookies across multiple domains" Watch "Cookies across multiple domains" New topic

Cookies across multiple domains

JeanLouis Marechaux
Ranch Hand

Joined: Nov 12, 2001
Posts: 906
Hum... unable to fing the appropriate thread....
But I'll try this one.
I want to share a cookie across multiple domains,lets say and
How can I do that.
At first glance, the only solution I can imagine is to have 2 cookies (one is nearly the clone of the other) and to use a sendRedirect in order to set each cookie from the domain which will need to use it.
But I'm not satisfied with this solution.

Any better idea ??

/ JeanLouis<br /><i>"software development has been, is, and will remain fundamentally hard" (Grady Booch)</i><br /> <br />Take a look at <a href="" target="_blank" rel="nofollow">Agile OpenUP</a> in the Eclipse community
DC Dalton
Ranch Hand

Joined: May 28, 2001
Posts: 287
The problem with your idea is that cookies are only recognizable by the domain they were issued from. IE: you drop a cookie from and then try to retrieve and read it from't work! no if ands or buts. If you think about it it makes a lot of sense. If you could read other sites cookies you could come up with a multitude of information that you shouldnt be looking at.
With that said I think your idea with a redirect and second cookie drop MAY work although yes, it is very clunky. I really cant see any other way to do it. Im just very curious why you need to do this, do the sites share info? Matbe with a little more explanation I might be able to help more.
Meng Tan
Ranch Hand

Joined: Jan 20, 2001
Posts: 115
I have tried using Cookie.setPath() to share a cookie across 2 different web application (in same domain).
So I think u may be able to share cookie across 2 diff. domain using Cookie.setDomain().
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

...except that there is no "setDomain()" in javax.servlet.http.cook-ie
I agree, it can't be done. It's a security thing.
It may be possible to manage users between multiple domains by centralising the server information (like in a common database) and passing a reference to the session between the domains.
Common implementations of session will not allow you to do this, sessions are managed implicitly to make them scaleable. You would have to throw away the default implementation and recreate session management (and this isn't recommended)
You could then pass the session key you defined between the domains. cook-ies won't let you.
(replace cook-ie with the appropriate word, UBB won't let me...)
David O'Meara

Joined: Mar 06, 2001
Posts: 13459

Oops, not quite right, there IS a setDomain...
Was just looking at RFC2109 and it doesn't seem to support multiple domains for a single cook-ie.
If you see sections 2 (regarding domain-matching and how it is decided to send what where) and 4.2.2, which states:


Hope I haven't messed things up too badly.
So theoretically you should be able to write a cookie in one domain that gets sent to another, but I haven't seen it used and would be interested in hearing about someone testing it out
Mark Elliott

Joined: Jan 15, 2002
Posts: 6
A warning about trying this. I think that it should work (haven't tryied it myself). However if you go and look at the settings for cookies in netscape (for example) it specifically has an option to 'only allow cookies that will be returned to the originating server'. This would suggest that it would be best not to rely on the changing domain method as many people might have this set (not actually sure what the default cookie setting is (corporate build here you see)).
Additionally the method that you mention with two cookies is the way that I have seen it most often done (m$ for example do this) i.e. pass cookies when you move in query string and then set cookie on new site.
[ January 16, 2002: Message edited by: Mark Elliott ]
Mike Fuellbrandt

Joined: Jan 17, 2002
Posts: 14
A note about cookies: You can only share them across "similar" domains. By similar I mean that they have the same "tails".
You could set the cookie to have
Then you could set a cookie on and have it accessible by and

As for your proposed solution, that is how we had to implement for our four site names that people could surf in under. It's just a cost of dealing with the security of the cookies.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17038

Of course, if they're running Windows, you could use the "supercookie" security hole.

An IDE is no substitute for an Intelligent Developer.
Prasad Charasala
Ranch Hand

Joined: Nov 02, 2000
Posts: 67
I have worked extensively with cookies. But as of my knowledge goes it is not possible to set cookies from one domain and to read them from another domain. Even if it allows to do that doing that way causes big security hole.

nan sh
Ranch Hand

Joined: Jan 05, 2001
Posts: 167
I do experience one web site using other web site's cookie, when I surf on the net.(particular user id)
I agree. Here's the link:
subject: Cookies across multiple domains
It's not a secret anymore!