Issue Details (XML | Word | Printable)

Key: GLASSFISH-20710
Type: Bug Bug
Status: Open Open
Priority: Major Major
Assignee: JeffTancill
Reporter: pljosh
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

Set domain for sso-cookie.

Created: 18/Jul/13 08:27 AM   Updated: 20/Jul/13 07:27 PM
Component/s: security
Affects Version/s: None
Fix Version/s: None

Time Tracking:
Not Specified



Tags: sso cookie sso-cookie domain
Participants: JeffTancill and pljosh

 Description  « Hide

There is no way to set domain for sso-cookie.

I have tried hacking by intercepting response#addCookie, response#addHeader or any other possible method, but the org.apache.catalina.authenticator.AuthenticatorBase is not provided with my wrapped ServletResponse.

pljosh added a comment - 20/Jul/13 07:26 PM - edited

Here is my (ugly) workaround:

private void setupSsoCookieDomain(HttpServletResponse response) {
    if (domainName == null || domainName.indexOf('.') == -1) {
    boolean first = true;
    for (String cookie : response.getHeaders("Set-Cookie")) {
        if (cookie.startsWith(SSO_COOKIE_NAME) && !cookie.contains("Domain")) {
            //insert Domain=.domain to apply cookie for any subdomain
            cookie = cookie.replace("Path=", "Domain=." + domainName + "; Path=");
        if (first) {
            response.setHeader("Set-Cookie", cookie);
        } else {
            response.addHeader("Set-Cookie", cookie);
        first = false;