Difference between http://example.com and http://www.example.com?

StackOverflow https://stackoverflow.com/questions/1401770

  •  05-07-2019
  •  | 
  •  

Question

For sessions and cookies, is there a difference between example.com and www.example.com?

I have a very strange problem with our web application

The privat web is: private.example.com The public web is: example.com

For some reasons outside my control www.example.com is allways redirected to example.com I guess this is the setup on the server.

The problem is when I log in to the admin console, and open a new tab and requests the public site, the log in session is lost.

This only happens in IE 7

After some diging I found this site:

http://blogs.msdn.com/ieinternals/archive/2009/08/20/WinINET-IE-Cookie-Internals-FAQ.aspx

See Q3

Can it be that the session set in admin(private.example.com) is deleted when I access the public site? Since the server is redirecting me to example.com?

I think we do not specify the domain part when setting the cookie (Java)

As I said, this only happens with XP SP3 and IE7

Anyone who can help me, or correct my understanding of the IE stuff.

Was it helpful?

Solution

Yes, cookies are domain and even sub-domain specific. So this is the problem. For consistency's sake, I'd try to find a way to keep it on the same sub-domain.

You said the redirect from www.yourdomain.com to yourdomain.com is outside your control. Is that because you don't have access to the server? If so, you could attack it from another angle. Instead of preventing the redirect, you could set up a global 301 redirect rule so that every user who goes to www.yourdomain.com is instantly redirected to yourdomain.com (kinda like StackOverflow.com). That way it remains consistent on every page of the site.

There are many different ways to accomplish this. But if by chance you're using .NET, see my answer to this question: Setting up HTTP Redirect for SEO in IIS7

That's a pure .NET code solution that requires no additional modules so it'd work even if you don't have access to the server. Actually that answer is for the reverse scenario (non-www to www) but it could easily be modified for this task.

OTHER TIPS

Cookies are always set on a subdomain rather than the domain itself, when being created. You'll have to specifically set up the cookie to point to example.com when created. We had the same problem with admin.example.com and dealer.example.com login cookies.

Domains and sub-domains are independent of each other when it comes to cookies. I would check your DNS records to see where your A records actually point, then look at your webserver to see how the subdomains are interpreted. Sometimes servers are configured to treat subdomains as url redirections, especially in large hosted solutions.

You might also want to check if the Java equivalent of the ASP property 'Response.Cookies("UID").Domain' is set somewhere along the line.

If you set a cookie for example.com it should be sent to www.example.com and private.example.com, but if you set a cookie for private.example.com it should not be sent to example.com. Some sites set all their cookies against www.example.com and serve static content from static.example.com or another domain so cookies are not needlessly sent along with requests for static content.

See also http://developer.yahoo.com/performance/rules.html#cookie_free

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top