CEF Forum

In our application we use cookies for authentication. We use the global cookie manager to set a cookie with the respective domain, for example "server.domain.de". Now, however, I have noticed that this cookie arrives in the chromium as ".server.domain.de", with a dot in front of it. While this basically works for authentication, there are problems if this cookie is to be overwritten by the web server. If the web server wants to overwrite the cookie, it does not use a dot. This ultimately gives us two cookies with the same name, which results in authentication errors.
My question now: How can I configure the Global Cookie Manager not to place a dot in front of the domain?

I pass this data to the cookie manager:

url = "https://server.domain.de/some/path"
name = "AuthSessionId"
value = "..."
domain = "server.domain.de"
path = "/"
secure = true (also tried with false)
httponly = true (also tried with false)
creation = (Now)
last_access = (Now)
has_expires = false
expires = (not set)

Also tried it with expire date:
has_expires = true
expires = (Now + 2 days)

I'm using the Delphi implementation CEF4Delphi for using chromium embedded framework. CEF4Delphi passes the domain correctly to the global cookie manager.

See https://stackoverflow.com/questions/468 ... meters-php

I know what the difference is between these two guys. My problem is that I HAVE to set a cookie WITHOUT the dot, but Cef won't let me. Cef simply adds a dot to the domain on his own authority. And that's why we have serious problems. And since the Cookie Manager is browser independent, you can't leave the domain empty, because it can't be set automatically.

CEF documentation states clearly that you can set an empty domain, you just have to READ IT.

If you set |CefCookie.domain| then you will get a domain cookie (with the dot). Otherwise you will get a host cookie and the host value will be extracted from the |url| parameter passed to CookieManager::SetCookie.

magreenblatt wrote:If you set |CefCookie.domain| then you will get a domain cookie (with the dot). Otherwise you will get a host cookie and the host value will be extracted from the |url| parameter passed to CookieManager::SetCookie.

Thank you, this worked fine.

Czarek wrote:CEF documentation states clearly that you can set an empty domain, you just have to READ IT.

I think it is a (bad) development of modern times that a developer no longer looks at the documentation. (Which of course shouldn't be the case).

Sorry if my last answer was a little aggressive.

This behavior looks strange. For example, in CefCookieVisitor.Visit the |CefCookie.domain| is always filled, and if you use these cookies to set in a different context, you will get a different result.