Tutorial :Cross domain cookie access (or session)


While I realise that this is usually related to cross site scripting attacks, what I'm wondering is how can a session remain valid throughout multiple subdomains belonging to a single domain (example: a user logging in only once, and being able to access both subdomain1.domain.com and subdomain2.domain.com with the same session). I guess I first need to understand how it works, but so far I haven't been able to find much that would be of any relevance.

But then again, maybe I wasn't asking the right question.

Thanks in advance :)


Inproc sessions cannot remain valid, however you can code your web application to allow cookies across multiple subdomains. You will need to set the domain equal to:

Response.Cookies("CookieName").Domain = ".mydomain.com"  

Remember the period.


There are quite a few ways to share session data or cookie data across domains. The simplest is to share it on the server side through a shared data store. But you would not be asking this question if it were that easy.

The other way to do this is equally simple. The domain one.com contains some session data say name=aleem and id=123 and wishes to pass this along to two.com. It will follow these steps:

  1. Make a call to two.com/api/?name=aleem&id=123
  2. When two.com gets the data via query parameters, it creates a cookie with the data. This cookie will be stored under the two.com domain.
  3. two.com will then redirect back to the REFERER which in this case happens to be one.com

This is a simplified scenario. The domain two.com needs to be able to trust one.com and not only that but it needs to know that the request is authentic and not just crafted by the user so you need to use public/private keys to mitigate this.


By default, all cookies for a site are stored together on the client, and all cookies are sent to the server with any request to that site. In other words, every page in a site gets all of the cookies for that site. However, you can set the scope of cookies in two ways:

  1. Limit the scope of cookies to a folder on the server, which allows you to limit cookies to an application on the site.
  2. Set scope to a domain, which allows you to specify which subdomains in a domain can access a cookie.

You can learn more here.


The comments about the cookie being set for the domain to allow subdomains to receive that cookie give you that side but what's missing is the consistency of session.

I think this is very much like the problem of maintaining state across servers in a farm and the solution is probably to ensure that your session store is consistent across both sites (if they are not server from the same 'web site' in IIS). You can move the Session store into SQL Server (HOW TO: Configure SQL Server to Store ASP.NET Session State) which would probably serve the purpose as each site would query the same store when looking for the session data related to the cookie they've been presented with.

I hope that gets you on the right track.


If you have the ability to set up a common subdomain, you can do this:

In your subdomain html files, include a javascript file at the top like this:

<script src="http: //common.domain.com/check.asp"></script>  

In check.asp, look for your logged_in cookie and if not present, show a page say, http://common.domain.com/login.asp using something like

<%  if (cookie_not_found){  %>  location.href = "http: //common.domain.com/login.asp";  <%  }  %>  

Once a person submits username password, submit it back to the same login.asp and set the session cookie, (which will be set in common.domain.com domain) and then redirect to http://subdomain1.domain.com.

What will happen now is, a call will be made to the embedded "common.domain.com/check.asp", and cookies for common.domain.com will be sent by the browser along with the request. So you will know whether your session is valid or not, even when you are in subdomain1.domain.com.


You can set a cookie for a specific domain.

In php, the setCookie() method contains a parameter in which you can specify the top-level domain, so the cookie is valid for all subdomains. Based on your tags, I see you are working in asp.net. Probably this also exists for asp...

after a little search for asp:

try this:

Response.Cookies("CookieName").Domain = ".mydomain.com"  

or read this


Here is a solution which works:


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »