Cookie and sharing between subdomains?

Asked

Viewed 223 times

3

I have a website with the following address http://www.mysite.com.br that in programming is created some cookie settings and even information with encrypted data. A subdomain has now been created with the following address http://api.mysite.com.br to a new website and I realized that there is the sharing of the same cookie and even access the keys created where applications run on the same server.

I ask you:


  1. There really is the sharing of cookie between application and its sub-domains?
  2. What are the positive points?
  3. What are the negative points?
  4. Generally speaking there is some better technique for sharing domain information for subdomains
  • 1

    Two negative votes? Is there a problem because lately I only take negative votes?

  • I’m going through the same thing. I am thinking that it is an automaton negativizing certain users using several accounts to circumvent the detection of system fraud, because the negatives I am receiving are occurring with certain periodicity.

  • I saw your complaints @Augustovasques and has a lot of relevance what you just commented, I don’t know what else to do seems totally stalking.

  • 1

    I understand your anguish. Because even being an unpaid and non-compulsory activity I contribute my best in each of my publications. In third party publications I do my best to leave feedback on why a down vote or close. Always when there really is some problem with one of my publications the community at all times negative or pointing out where my fault was. Now receiving a negative on something that is correct and in accordance with the rules of publication of the site and without explanations is embarrassing.

2 answers

0

Depending on the application, it may be a problem to share cookies between different subdomains, including because you have indicated that cookies even contain encrypted data. I would create a comic strip and put in it the following fields:

  1. Session cookie (Ex: PHPSESSID)
  2. Subdomains where data will be visible.
  3. The encrypted data.

This way, you can create a method that checks the session cookie, the user’s current subdomain and checks in the BD if it has access to the encrypted data. This would protect the encrypted data and only release it if the session cookie matches the subdomain. Another alternative may be to take advantage of the flexibility of sessionStorage(), but they are also not as safe as this BD technique.

-1

  1. Yes, there is sharing if the domain is specified when generating the cookie. For example, if the domain is specified as "mysite.com", it will include all subdomains ("api.mysite.com"). If not specified, the default is the local host part of the current document, that is, it should exactly match the cookie domain ("host-only cookie").
  2. One positive point is that you can share the same cookie across your domains. Imagine multiple systems in separate projects, you can, for example, use the cookie to authenticate between them, dispensing with the various login screens.
  3. I see no downside, as it is possible to limit the cookie only to the local host as explained in item 1.
  4. This depends on what kind of information you want to move between domains. Depending on what you need, you can even make use of the database. But cookies work well for the example you reported.
  • What’s wrong with the answer? has some indication of problem report and something else who negative can add a better answer indicating the problems of the other answers?

  • Yeah, I didn’t get it either. I could at least add some information to the answer.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.