1

I have a web application which is hosted at https://example.com. I would like to share a session cookie between the main domain https://example.com and sub-domain https://www.example.com. Thus, there should be no need for a user to re-login if they switch from one domain to another. How do I achieve this in springboot 2.2.6?

This is what I have tried: I went to application.properties and set server.servlet.session.cookie.domain=.example.com Now, this does not help. I get an error: 

java.lang.IllegalArgumentException: An invalid domain [.example.com] was specified for this cookie
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.validateDomain(Rfc6265CookieProcessor.java:210) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
    at org.apache.tomcat.util.http.Rfc6265CookieProcessor.generateHeader(Rfc6265CookieProcessor.java:145) ~[tomcat-embed-core-9.0.33.jar:9.0.33]
    at org.apache.catalina.connector.Response.generateCookieString(Response.java:973) ~[tomcat-embed-core-9.0.33.jar:9.0.33]

If I set server.servlet.session.cookie.domain=example.com, then the cookie is not visible for http://www.example.com and if I set server.servlet.session.cookie.domain=www.example.com, then the cookie is not visible for http://example.com

I have read discussions about Rfc6265CookieProcessor and LegacyCookieProcessor, but I don't know the right way to fix this issue.

Springboot 2.2.6 uses tomcat version 9.0.*

So, how do I fix this issue?

EDIT:

I was trying the above changes on localhost only and not on production. Instead of accessing http://www.example.com, I was doing https://www.localhost and instead of accessing http://example.com, I was doing http://localhost

Nikhil
  • 1,188
  • 2
  • 20
  • 39

2 Answers2

1

The right value is:

server.servlet.session.cookie.domain=example.com

What I was trying was that I was making changes on localhost and they were not working for me. I was modifying the values in chrome console manually and expecting to see cookies set on https://localhost with domain localhost to be visible in another tab for domain https://www.localhost and that was not happening.

I read the answer here: Share cookie between subdomain and domain and @Cesc 's comment on that answer which was :

I am not sure where to put this so I am choosing the comments of the accepted answer. It took long time and failed experiments to prove the above on my localhost, until it occurred to me that I should call the localhost with a dot in the name. Like "localhost.com" or something like that. Then all the "set cookies" behaviours started following the explanations written here in this answer. Hoping this might help somebody.

So, I tried my changes on production directly and they worked fine. I am still not able to get it to work on localhost. The way I access my website on localhost is:

https://localhost and https://www.localhost. Based on @Cesc 's comment, I probably need to access the website on localhost as https://www.localhost.com or https://localhost.com and then it will work. But, I have not tried that.

Nikhil
  • 1,188
  • 2
  • 20
  • 39
0

Rather than testing with 'localhost' on your dev machine, try using your machine's fully-qualified host name. I've had a similar challenge with testing authentication against our single-signon platform.

Sean
  • 1