Mar 17th, 2011, 07:41 AM
Cross domain cookies
I want a user to be able to use a session across multiple sub domains. I understand that by default cookies are subdomain specific and in order to have a session work across subdomains, the cookie should be set as .domain.com in stead of sub.domain.com.
What I'm not sure about is how to do this. Should I do this by modifying Spring Security or is this a web server kind of configuration?
If I have to modify Spring Security for this, can I do this in a central place? Any suggestions for this? There doesn't seem to be a lot of information on the subject.
Mar 17th, 2011, 08:32 AM
There's a section on session management in the FAQ.
Session management is not controlled by Spring Security, so it has no control over the domain setting for the session cookie. If you're using Tomcat, then you can use the sessionCookieDomain setting.
Mar 17th, 2011, 08:33 AM
What cookie are you trying to set that needs to be shared across multiple domains? If it is the JSESSIONID, then that is specified by your container (i.e. tomcat).