Forum Discussion
Chris_Miller
Altostratus
AltostratusMulti-Domain Cookie Issue
Here's my situation...
I have a site, www.sample.com - configured with Akamai. The "origin" points to a VS on my LTM to which I have an iRule that sends users to different pools depending on a cookie value. I want to allow certain users to hit a specific pool but also want them to do so through Akamai. Since access to Akamai is wide open, I need them to hit my "origin" first and if they match my whitelist, I'll set a cookie and redirect them.
My initial assumption was that I'd do something like this:
1. A user hits origin.sample.com/1
2. My iRule inserts a cookie named "x" with the value of whatever is behind the / - in this case, a 1.
3. The iRule redirects them to www.sample.com (which goes through Akamai) and since they have a cookie value of 1, they'd go to the right pool.
Unfortunately, I forgot that the cookie "x" with value of "1" would be for the domain "origin.sample.com" and not "www.sample.com" so this likely wouldn't work.
Can anyone think of a better way to do this? Could I configure an iRule on my origin VS that looks at cookies from a specific domain?
hoolioCirrostratus
Hi Chris,
Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain?
Aaron- Chris_MillerPosted By hoolio on 06/26/2010 02:15 PM
Hi Chris,
Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain?
Aaron
Aaron - I love having you around! I should have noticed the "domain" option in the http::cookie wiki. Thanks! - Chris_MillerAaron - how would I go about checking to see whether a cookie exists for a different domain? If they have a cookie for www.example.com, I'll need to remove it before inserting my new one...
- hoolioYou could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app?
Aaron - Chris_MillerPosted By hoolio on 06/28/2010 08:22 AM
You could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app?
Aaron
If a user first goes to www.sample.com, they'll get sent to pool 1 or pool 2 - if pool 1, they'll get a cookie set to "1". Now, if they specify origin.sample.com/2, I need to check whether a cookie exists for www.sample.com, rewrite its value to "2", and redirect them to www.sample.com. - hoolioThe HTTP request doesn't include any details for cookies other than the cookie name and value. So you couldn't tell just from the request what domain a cookie was set for. You might be able to set the name or value with a unique string that tells you what VS (or domain) the cookie was set for.
Aaron - Chris_MillerPosted By hoolio on 06/28/2010 08:57 AM
The HTTP request doesn't include any details for cookies other than the cookie name and value. So you couldn't tell just from the request what domain a cookie was set for. You might be able to set the name or value with a unique string that tells you what VS (or domain) the cookie was set for.
Aaron
If I try to set a cookie for domain www.sample.com that already exists - what would the browser do? - hoolioIf the domain on the cookie (and all other attributes), the browser should replace the old cookie with the new cookie value. If the domain or other attribute (like path) is different, then the client will store two cookies. The simplest way to check the exact behavior would be to use a browser plugin like HttpFox and test it.
Aaron - Chris_MillerPosted By hoolio on 06/28/2010 09:48 AM
If the domain on the cookie (and all other attributes), the browser should replace the old cookie with the new cookie value. If the domain or other attribute (like path) is different, then the client will store two cookies. The simplest way to check the exact behavior would be to use a browser plugin like HttpFox and test it.
Aaron
For whatever reason - the domain cookie insert doesn't appear to be working. I'm basically saying : If user hits x.sample.com/1, set cookie "x" with value "1" domain "www.awesome.com" http::redirect "http://www.awesome.com" This doesn't appear to be setting a cookie for the www.awesome.com domain - any ideas? - hoolioHTTP user agents enforce a domain "firewall" to prevent one site from setting, accessing or modifying cookies from another domain. A subdomain can set cookies for it's own root domain though. So site1.example.com can set cookies for example.com which will be sent by clients to site2.example.com. But as you found, no subdomain on example.com can't set cookies for example2.com or any other domain.
See this wikipedia article for details:
http://en.wikipedia.org/wiki/Same_origin_policy
Can you use subdomains for this? If not, I think you'll need to re-architect the solution. I suppose you could insert something in the URI in the redirect which contains similar info.
Aaron
