I need to change cookies value of another domain, I know that we can not do it using javascript. Is it possible using servlet ?
I am trying like this but no success? were am I going wrong? I have two web application namly Cookies1 and Cookies2 deployed in one tomcat in localhost
Servlet of cookie1 application
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter pw = response.getWriter();
// String Html = "<HTML><BODY>HI</body></html>";
// pw.write(Html);
Cookie cookie = new Cookie("__utmz", "Arvind");
cookie.setDomain("http://localhost:8080/Cookie2");
cookie.setPath("/");
response.addCookie(cookie);
//response.getWriter().write(Html);
}
Servlet of cookie1 application
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
System.out.println("CookieSetDm.doGet()");
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
System.out.println(cookies[i].getName() + " <> "+ cookies[i].getValue());
}
}
}
I need to change cookies value of another domain, I know that we can not do it using javascript. Is it possible using servlet ?
I am trying like this but no success? were am I going wrong? I have two web application namly Cookies1 and Cookies2 deployed in one tomcat in localhost
Servlet of cookie1 application
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter pw = response.getWriter();
// String Html = "<HTML><BODY>HI</body></html>";
// pw.write(Html);
Cookie cookie = new Cookie("__utmz", "Arvind");
cookie.setDomain("http://localhost:8080/Cookie2");
cookie.setPath("/");
response.addCookie(cookie);
//response.getWriter().write(Html);
}
Servlet of cookie1 application
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
System.out.println("CookieSetDm.doGet()");
Cookie[] cookies = request.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++) {
System.out.println(cookies[i].getName() + " <> "+ cookies[i].getValue());
}
}
}
2 Answers
Reset to default 3You can't modify the cookies of one domain using a servlet or JavaScript hosted on another domain, for security reasons. See RFC 6265, section 4.1.2.3:
The user agent will reject cookies unless the Domain attribute specifies a scope for the cookie that would include the origin server. For example, the user agent will accept a cookie with a Domain attribute of "example." or of "foo.example." from foo.example., but the user agent will not accept a cookie with a Domain attribute of "bar.example." or of "baz.foo.example.".
But you can set a cookie in a servlet/script and then read/modify the cookie in another servlet/script on the same host. You can even read or modify a cookie set on a server running on one port on the same hostname/domain from a server running on another port at the same hostname/domain - so you can have Tomcat running on two different ports on the same server and exchange cookies between the two.
Note that you're calling setDomain incorrectly in the first example - this field of the cookie takes a domain name and not a full URL. So the call should look like this:
cookie.setDomain("localhost");
As the other answer notes, some browsers ignore cookies for localhost, so you may want to not set this field of the cookie at all - this has the effect of setting a cookie that will only be returned to the same host that set it (which most of the time is what you want).
You can only do this between two domains that end with the same thing; e.g. you can set a cookie's domain to '.domain.' so that 'x.domain.' and 'y.domain.' both have access to it. The cross-domain cookie rules are described in RFC 2109. In particular:
4.3.2 Rejecting Cookies
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
The value for the Path attribute is not a prefix of the request-URI.
The value for the Domain attribute contains no embedded dots or does not start with a dot.
The value for the request-host does not domain-match the Domain attribute.
The request-host is a FQDN (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
Examples:
A Set-Cookie from request-host y.x.foo. for Domain=.foo. would be rejected, because H is y.x and contains a dot.
A Set-Cookie from request-host x.foo. for Domain=.foo. would be accepted.
A Set-Cookie with Domain=. or Domain=.., will always be rejected, because there is no embedded dot.
A Set-Cookie with Domain=ajax. will be rejected because the value for Domain does not begin with a dot.
As long as you are not violating the above rules, you are fine. Otherwise, browsers will reject the cookie.
It is worth noting that "localhost" does not fit into the above rules, and some browsers can and do reject cookies with a "localhost" domain.