locked
Creating cookie on Intranet page and reading it from public website RRS feed

  • Question

  • User-644883730 posted

    I have no problems creating a cookie and reading it as long as it is under the same host. However, when I try to create a cookie on one of our Intranet pages, then direct to a site that's on our web server it fails when trying to read the cookie.

    So, the user starts on this page:

    http://10.74.1.11/Intranet/PFD/Filer_ViewUpdate.aspx

    this code runs:

    Dim FilerCookie As New HttpCookie("FilerCookie")
    
    FilerCookie("EFile_ID") = Encryption.EncryptData(intEFile_ID)
    
    If IsNothing(FilerCookie) Then
    Response.Cookies.Add(FilerCookie)
    Else
    Response.Cookies.Set(FilerCookie)
    End If
    
    ClientScript.RegisterStartupScript(Me.GetType, "javascript", "window.open('" & URL & "');", True)

    User is then directed to: http://oursite.me.com/Filers/Form.aspx in a new window...

    On page load it fails on this code when it tries to read the cookie and kicks me to login page:

    Dim FilerCookie As HttpCookie
    If IsNothing(Request.Cookies("FilerCookie")) Then Response.Redirect("PFD_Filer_Login.aspx")

    I have tried resolving the issue by using these lines of code before adding/setting the cookie but it still doesn't work:

    FilerCookie.HttpOnly = True
    FilerCookie.Domain = "oursite.me.com"

    Any help much appreciated!

    Tuesday, February 5, 2013 11:06 AM

Answers

  • User-760709272 posted

    This is by design, it would be a huge security issue if any site could read the cookies from any other site.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 5, 2013 11:12 AM

All replies

  • User-760709272 posted

    This is by design, it would be a huge security issue if any site could read the cookies from any other site.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, February 5, 2013 11:12 AM
  • User-644883730 posted

    So... is there nothing I can do? Even if the sites are in the same domain? How does the public recognize the difference between a cookie it created and another site?

    Tuesday, February 5, 2013 11:15 AM
  • User-760709272 posted

    It's the browser that does cookie management for you, and it will only post the cookies that are valid for the domain.  An alternative would be something that resolves your internal IP so something that seems like a sub-domain, so you would go to local.yourdomain.com rather than the IP you have listed and www.yourdomain.com would be the public version.

    Tuesday, February 5, 2013 11:20 AM
  • User-644883730 posted

    I see, thank you.

    Well, instead of 

    http://10.74.1.11/Intranet/PFD/Filer_ViewUpdate.aspx

    I can use

    http://svr-intranet/Intranet/PFD/Filer_ViewUpdate.aspx

    and it's the same page... does that help at all? I'm not familiar with working with subdomains. If this is going to be a somewhat complicated issue, I have another idea that will work... and that involves passing in encrypted data through QueryStrings, just not as clean of a solution as I originally hoped.


    Tuesday, February 5, 2013 11:26 AM