We have one web application that is being built to serve multiple regional web site TLDs. In addition, the web application also supports thousands of dynamic subdomains. Examples include:
www.example.com
www.example.co.uk
www.example.com.ar
fred123.example.co.uk <== Thousands of this form
fred123.p.example.us <== Thousands of this form
While we can understand that different domain TLDs result in new sessions a problem starts to appear with the latter 2 examples above which also result in new session instances. For example if a user:
Goes to: www.example.co.uk a new session is created and then...
Clicks on a link: fred123.example.co.uk a new session is created and then...
Clicks on a link: sam99.example.co.uk a new session is created...
3 clicks ==>> 3 sessions!!!!
The problem appears to be due to the fact that GlassFish v3 automatically makes the domain of the JSESSIONID to be the FQDN of the host request.
What is required is that the host name part be stripped off the domain value at the very least to have domains values like:
.example.com
.example.co.uk
.example.com.ar
.example.co.uk <== Thousands of this form
.p.example.us <== Thousands of this form
Does anyone know how this can be achieved. I have found the following Q&A however in our case the subdomain TLDs do not all match:
An issue dealing with JSP Session
Ergo the solution of statically configuring the sun-web.xml OR using a Servlet 3.0 solution does not appear to help. Also creating a filter response wrapper does not work either as the JSESSIONID cookie is assigned in the lower levels of the Application server and is not exposed to the Web App to intercept.
The only other two options I think I have are:
a) Patch the GlassFish v3 code that sets JSESSIONID cookie domain value to FQDN so that some stripping occurs OR
b) Doing something in the Sun Web Server 7.0 reverse proxy layer that we have to re-write the JSESSIONID cookie domain value returned in the set-cookie header however I have not been able to find examples on how to do this
Can anyone help resolve this issue? Any clues / help will be very much appreciated!
Using Apache and mod_headers to rewrite the cookies?
Best way for allowing subdomain session cookies using Tomcat
Related
There are two page trees in my TYPO3 and I link between them. Both websites use an SSL/TLS encryption for the frontend delivery and thus should only generate relative links (if on the same domain) or link to my second domain (which it does, but only using http and not https).
Now the reason for this seems clear: I've never told TYPO3 to only generate https links. The question is: how would I do that in the first place?
I've come accross the possibility to work with config.absRelPrefix but this doesn't work when linking across domains.
use
config.typolinkCheckRootline = 1
this way typolinks check if the target page belongs to the current domain.
https://docs.typo3.org/typo3cms/TyposcriptReference/Setup/Config/Index.html#typolinkcheckrootline
Apparently, config.typolinkCheckRootline = 1 as well as any combination of config.absRelPrefix and config.baseUrl won't help it, if TYPO3 get's the wrong HTTP host and only get's the host via HTTP_X_FORWARDED_HOST env var.
I'm developing a database backed web-app. I will be providing the same basic services to several branches of the same company.
Right now I have an Apache server with virtual servers and a resource server for reporting.
branch1.mycompany.com
branch2.mycompany.com
resources.mycompany.com
So basically when I call resources from the site I pass the site as a parameter.
branch1.mycompany.com -> resources.mycompany.com?branch=1¶meter=1
branch2.mycompany.com -> resources.mycompany.com?branch=2¶meter=1
Even with two branches there is a problem trying to keep up with updating both sites and now, I'm going to be implementing this scheme for seven sites.
So my question is this: Is there a way I can make a IIS or TomEE web-app with the following features?
I want to still allow each branch to access trough its URL
Even when there are 7 URLs; all of them will be pointing to the same web-app
Depending on the URL, is there a way the site parameter can be inferred or calculated so I can call the right resource or web service?
The user should never realize they are accessing a common web-app. (i.e. should not be redirected to web-app.mycompany.com?site=1.)
Tomcat (so tomee) has now a rewrite valve which is close to httpd mod_rewrite, this can surely solve that smoothly. I assume IIS has it as well but don't know it that much. Trick is to reverse proxy the requests.
I am hoping you can help. I have 5 websites that run off the same .net code base and have different themes based on the url.
For example, http://site1.mydomain.co.uk is set up so that it does a http redirect to https://site1.mydomain.co.uk and I have the main SSL IIS entry as mydomain.co.uk with a wildcard SSL certificate and bindings for https://site1.mydomain.co.uk.
The issue I have though is when I put the http redirect on one of the other urls, all of them change to the last one entered. If that makes sense?
So, let's say I have just finished the site1.mydomain.co.uk entry and now move onto site2.mydomain.co.uk. I create the https://site2.mydomain.co.uk binding in the main mydomain.co.uk IIS record and then put a http redirect on http://site2.mydomain.co.uk so that it redirects to https://site2.mydomain.co.uk.
If I then go and check the previous record, site1.mydomain.co.uk the redirect has now changed to https://site2.mydomain.co.uk which is not what I wanted. Why is it doing this and how can I prevent this?
Is there any chance you're using the same folder in the filesystem for all 5 websites?
In IIS, the HTTP Redirect settings are stored in a web.config file in the folder you're serving from, so if you were serving all 5 sites from the same folder then they would all have the same settings, i.e. changing the settings for one of them would change it for all of them.
That being said, I strongly recommend that you use URL Rewrite to do http to https redirects. Doing the redirect in this way is compatible with having 5 sites served from the same folder. You can install it from here (WARNING: the install requires an iisreset, i.e. a brief downtime for your site): http://www.iis.net/downloads/microsoft/url-rewrite
After installing URL Rewrite, you can create a rule to do the redirect. Stack Overflow won't let me post the screenshot here, so I uploaded it to here: http://postimg.org/image/4s4vjajs3/cf4f5c08/
Also, if you're using a wildcard certificate, then doing the redirect in this way might remove your need for having 5 different websites.
I have built a cookie consent module that is used on many sites, all using the same server architecture, on the same cluster. For the visitors of these sites it is possible to administer their cookie settings (eg. no advertising cookies, but allow analytics cookes) on a central domain that keeps track of the user preferences (and sites that are visited).
When they change their settings, all sites that the visitor has been to that are using my module (kept in cookie) are contacted by loading it with a parameter in hidden iframes. I tried the same with images.
On these sites a rewrite rule is in place that detects that parameter and then retracts the cookie (set the date in the past) and redirects to a page on the module site (or an image on the module site).
This scheme is working in all browsers, except IE, as it needs a P3P (Probably the reason why it is not working for images is similar).
I also tried loading a non-existent image on the source domain (that is, the domain that is using the module) through an image tag, obviously resulting in a 404. This works on all browsers, except Safari, which doesn't set cookies on 404's (at least, that is my conclusion).
My question is, how would it be possible to retract the cookie consent cookie on the connected domains, given that all I can change are the rewrite rules?
I hope that I have explained the problem well enough for you guys to give an answer, and that a solution is possible...
I am still not able to resolve this question, but when looked at it the other way around there is a solution. Using JSONP (for an example, see: Basic example of using .ajax() with JSONP?), the client domain can load information from the master server and compare that to local information.
Based on that, the client site can retract the cookie (or even replace it) and force a reload which will trigger the rewrite rules...
A drawback of this solution is that it will hit the server for every pageview, and in my case, that's a real problem. Only testing that every x minutes or so (by setting a temporary cookie) would provide a solution.
Another, even more simple solution would be to expire all the cookies on the client site every x hour. This will force a revisit of the main domain as well.
Can someone please help me to find a solution to maintaining the session across subdomains.
The site uses fake subdomains for users, eg. (thisuser.mysite.com/). All the fake subdomains map to the main site (mysite.com) so there's a common database for everything.
The subdomains are used only for a couple of components(com_xxx) on the site. for other components the user is redirected to the main site via htaaccess.
The problem is when a user is redirected to mysite.com from thisuser.mysite.com and vice versa. Their session is not maintained. The user has to login back again.
I have tried updating the cookie domain in php.ini to '.mysite.com' but it doesnt seem to help.
Is it possible that the site may have auto-logins across all subdomains and main domain without any core hacks, assuming the solution lies in making cookies readable from all subdomains, irrespective of from where it's being set?
Thanks all, for your time and suggestions !
I'm not sure how you could do this....
Here is just an idea, it would rely on javascript...
WHen a user logs in using your login form... a hidden iframe would exist and javascript would post your login data to the login page of each domaine for your site. chaining them...
i dont feel its a safe thing tho... maybe im wrong...
u could use joomla's mootool framework to send an ajax requests to each domain...
Otherwise might want to check how joomla creates a session row in the database for each user on the site. maybe you can just create them for each domaine with 1 login. im gona check my mysql....
are you using joomla 1.5 or 2.5 ?
Otherwise i found this document for you:
http://docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
okay, this was easy, I was testing on the local machine and it seems if domain doesnt have the dot, then the cookies are not handled well.
Just ensuring taht cookie domain is set to '.mysite.com' gets the job done
1. It is also recommended that you use the same joomla "secret" configuration value in the different websites as it is used to check the data exchanged between the different domains.
2. taht cookie domain is set to '.mysite.com' gets the job done