----------
From: "Craig R. McClanahan" cmcclanahan@mytownnet.com
To: Java Apache Users java-apache-users@list.working-dogs.com
Subject: Re: Session management for multiple subdomains
Date: Fri, Mar 5, 1999, 8:28 AM

Joel Shellman wrote:

> We run various services under the knocean.com domain name
> (synapse.knocean.com, scrapbook.knocean.com, member.knocean.com, etc.).
> Is there an easy way to create a session under one subdomain that will
> carry over to all subdomains?
>
> In other words, I go to member.knocean.com and the servlet creates a
> session. Then I want to go to synapse.knocean.com, I already
> authenticated so I don't want to have to do it again. Is there a simple
> way to do it?
>
> I could just throw a cookie in there, but then I loose the ease of
> session management and open up possible security risks.

In Apache JServ, sessions are local to a particular zone, which is in turn
local to a particular virtual host.

In the 2.1 servlet API spec, sessions are local to a servlet context, and
a servlet context is specifically limited to a single virtual host.  Thus,
what you want to do (sharing a session across virtual hosts) won't be
allowed.

The reasons for this are primarily the ones you don't like about the
"throw a cookie in there" approach -- security.  The application designer
who packages their app into a particular servlet context is not going to
like the possibility that outside servlets have access to the user objects
stored in the session, because it allows all sorts of malicious behavior.


>
> Thank you,
>
> Joel Shellman
> knOcean Interactive Corporation
> http://corp.knOcean.com/
>

Craig McClanahan