Best way for allowing subdomain session cookies using Tomcat

Andrew Ingram picture Andrew Ingram · Sep 17, 2008 · Viewed 32.9k times · Source

By default tomcat will create a session cookie for the current domain.

If you are on www.example.com, your cookie will be created for www.example.com (will only work on www.example.com). Whereas for example.com it will be created for .example.com (desired behaviour, will work on any subdomain of example.com as well as example.com itself).

I've seen a few Tomcat valves which seem to intercept the creation of session cookies and create a replacement cookie with the correct .example.com domain, however none of them seem to work flawlessly and they all appear to leave the existing cookie and just create a new one. This means that two JSESSIONID cookies are being sent with each request.

I was wondering if anybody has a definitive solution to this problem.

Answer

mkvalsvik picture mkvalsvik · Aug 6, 2010

This is apparently supported via a configuration setting in 6.0.27 and onwards:

Configuration is done by editing META-INF/context.xml

<Context sessionCookiePath="/something" sessionCookieDomain=".domain.tld" />

https://issues.apache.org/bugzilla/show_bug.cgi?id=48379