[Edit] Session/Logged In Issue with multiple servers on same domain

[Stu]

Hi Folks/Bruce,

I have two sites on the "mydomain.com" domain.

Site A - Intranet (www.mydomain.com), logging in
Site B - Intranet (https://subdomain.mydomain.com:88), logging in

1. Visit Site A, log in.
2. New tab on browser (chrome, firefox, IE), visit Site B, log in.
3. Return to Site A, have been logged out.

It seems like when I visit one or the other sites after visiting the other, the Session is cleared somehow?

Grateful for any wisdom/experience on this matter.

Cheers.

[Stu]

** Edited above after doing some more testing revealed it's having 2 being logged in at the same time (not just visiting a public site).

[Bruce]

The subdomains share the same cookies.
Which means they'll all be using the same SessionID cookie.
If you have "change Session on Login or Logout" set on (WebServer Security tab) then I could definitely see this effect happening.

cheers
Bruce

[Stu]

Hey Bruce,

Okay, thanks for the info.

Can I change the way the cookies work then? Make them unique for a sub-domain?

[Bruce]

I need to look into this a bit further. The short answer seems to be yes.

[Stu]

Awesome. Thanks Bruce.

[Stu]

Hey Bruce,

I know this is a couple of years back, the post, but have been testing a new website that while in testing is on the same sub-domain as our intranet, and unless I use different browsers / incognito (which is fine, am happy to do this), I get logged out of the intranet.

Back then you were talking about the possibility of cookies being different per sub domain.

However, what's happening at the moment is that the servers are on the same sub-domain, it's just that the PORT numbers are different.

So.

QUESTION 1: Would the "Bind Session to IP Address" option in the Webserver template also take the port number into consideration? (easy enough for me to test, which I'm doing now)

[Edit] Didn't seem to recognise the port in testing, so probably not a question that needs asking.

QUESTION 2: If not, is there any way we could have the option to put a custom prefix/suffix on cookie names in the webserver template, to help out differentiate between two servers on the same domain/subdomain but different ports?

Cheers!

[peterH]

Hi Stu / Bruce,

I'd be very interested in a solution to this as I'm seing the same problem (being logged out)
I've got a second server on the same domain - using a different port - to do admin tasks and it doesn't play well at all 

Peter

[Bruce]

It's worth seeing this from the browser point of view in order to understand what is, and is not, possible.

Firstly, I'm not sure if this was common knowledge, but you can do cookies by sub-domains now, there's a FOLDER setting for that. (Although I'm not sure that's been applied to session cookies.)

A good reference to understand cookies is https://en.wikipedia.org/wiki/HTTP_cookie and of particular interest to this discussion is https://en.wikipedia.org/wiki/HTTP_cookie#Implementation

From that you'll see that the IP address, and port number, play no part in cookies. They are differentiated solely on the domain, subdomain, and possibly folder.

So the short answer Stu - no it's not possible to separate cookies by port number. While you may run the servers on different ports it's recommended that you add a sub-domain pre additional port and perhaps just do a redirect to that subdomain when using the server on the other port.

Sorry.
Cheers
Bruce

[Stu]

Thanks Bruce.

So, just because I'm thick-headed and maybe not reading this right - There's no way to prepend or append a piece of text to a cookie-name on the server level, so we could have server-specific cookies?

[Bruce]

Hi Stu,

so you're thinking along the lines of having _2_ cookies,
SessionIDA
and
SessionIDB
so although the servers share the same _domain_ they only use "their" session cookie, and ignore the other one?

That's a creative approach which I support might work. I would need to think about this...

Cheers
Bruce

[Stu]

Yes!

Fantastic, keep thinking This would be very very cool.

[Bruce]

In 9.14 I've added a new property (SessionIDName) that you can set in webhandler in the ProcessRequest method, before the parent call.

example
p_web.SessionIDName = 'SessionIDA'

Be sure you embed that in ProcessRequest, before the parent call, not in ProcessLink.

I would recommend against changing the default, except in very specific cases such as the one you described.

Cheers
Bruce

[Stu]

That's really cool Bruce, thank you.

What would be the dangers in changing this?