Workaround to share session cookie between two domains in Apache Tomcat

Question

I have a website under a domain called www.example.com.br . And my server is set to work with cookie session tracking mode .

getServletContext().getSessionCookieConfig().setDomain(".example.com.br");
getServletContext().getSessionCookieConfig().setPath("/");

But now I'm introducing an english version of the website under www.example.com, because for Google and SEO techniques it's better to have different domains instead of a subdomain.

I found a lot of questions in Stack Overflow about this, and I know it's impossible for a lot of security reasons.

But isn't there anyway to tell Tomcat to work with a cookie domain .example.com.br if the URL has .com.br and .example.com if the URL has .com ? I don't need to share session information... ie: the user may have to login again if he changes the domain. I'm not worried about it. The problem is that no information on the .com version is been stored at all, because the cookie is set to .com.br version.

Isn't there any workaround for that?

Answer 1

It is user's browser that decides whether to send the cookie with the request or not. Web server (Tomcat, in your case) does not have any say in that decision. What you are asking for explicitly forbidden. For example, RFC2109 says:

A user agent should make every attempt to prevent the sharing of session information between hosts that are in different domains.

The best recommendation I can make is to make your session management (login, logout, ...) work off a single domain, regardless of what domain user originally accessed.