Monday, December 24, 2012

Set cookie paths and domains.

This restricts a cookie to a subdomain, I think:

HttpContext.Current.Request.Cookies["foo"].Domain = "support.example.com";

 
 

This restricts a cookie to a folder:

HttpContext.Current.Request.Cookies["foo"].Path = "/support";

 
 

Note: A single forward slash for the path setting will encompass the whole of the site. This is will cause an "Overly Broad Path" in a HP Fortify scan.

Posted by at

5 comments:

  1. UnknownFebruary 22, 2013 at 9:49 AM

    Hi jaeschke,

    There is issue with this that i am facing
    Say cookie path is set to "/Support"
    if user requests as "www.domain.com/support" the cookie is not available. Only if request is "www.domain.com/Support" the cookie can be read.
    Couldn't find soln in whole net. It is highly appreciable if any soln to this problem

    Thanks,
    Chetan

    ReplyDelete
  2. jaeschkeFebruary 22, 2013 at 10:40 AM

    I'll see if I can figure this out, but it won't be until later tonight.

    ReplyDelete
  3. jaeschkeFebruary 22, 2013 at 12:19 PM

    Alright, over my lunch break I did the same Googling you did and I do not see a way to easily solve this conundrum without just giving up and using site-wide cookies. The best solution: If a URL has uppercase letters in it I suppose you could do a Response.Redirect to the same path without any uppercase letters.

    ReplyDelete
  4. UnknownFebruary 22, 2013 at 8:34 PM

    We can control it by following same case always in our app though it is too much change\maintenance for already developed big app. But user's can type in browser's with any case. This is not in our hands :-( and looks browser does not send that cookie if the url is not in the same case as cookie path

    ReplyDelete
  5. jaeschkeFebruary 22, 2013 at 11:26 PM

    You could write something that audits the routes and then reroutes if a user has typed in the URL line.

    ReplyDelete

Subscribe to: Post Comments (Atom)