Hello, I do believe that any cookie will be associated by the browser to the hostname it was received from. So if the response from a request to www.bla.com.au contains that cookie, it will be recorded in the browser's cookie table as valid only for that explicit hostname.
There is often debate as to whether the cookie will be sent to subdomains of that host (eg secure.www.bla.com or sub.www.blah.com.au), I guess someone should test it one day and settle that debate for good! ;-) However, a cookie issued by www.blah.com.au will never be sent to secure.blah.com.au - that's just a plain security flaw - otherwise it could be easily possible to trap session information from the other location/s. Something that you might care to try (as per the subdomain debate ;-) is to set the cookie (using the code below) from a url like http://blah.com.au/setcookie.cfm, then see if it will send it back to www.blah.com.au and secure.blah.com.au Cheers, Mike. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Phil Rasmussen > Sent: Wednesday, 4 May 2005 3:46 PM > To: CFAussie Mailing List > Subject: [cfaussie] jsessionid problems crossing domain > > Hi Everyone, > > Just wondering if anyone has implemented a J2EE session management solution > in any of their applications which involves a change of domain during the > session? > > We are trying to implement jsessionid on an eCommerce site, and haven't > really found a good way to manage the session without passing jsessionid > through every url. The big problem occurs when a user jumps to the secure > domain to make their payment and the session gets lost. > > J2EE session management is enabled in the administrator on the CF7 boxes and > we are trying to get this session to stay alive by using a browser > persistent cookie as follows: > > <cfif notIsDefined("cookie.jsessionid")> > <cfcookie name="jsessionid" value="#session.sessionid#" secure="true" > path="/" domain="bla.com.au"> > </cfif> > > The session dies when the user jumps from www.bla.com.au to > secure.bla.com.au > > Any suggestions would be appreciated. > > Cheers, > Phil > > > > --- > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > To unsubscribe send a blank email to [EMAIL PROTECTED] > Aussie Macromedia Developers: http://lists.daemon.com.au/ --- You are currently subscribed to cfaussie as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
