By Vilx-

2009-06-30 10:35:39 8 Comments

Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences.

In other words - when a browser receives a cookie, that cookie MAY have a domain and a path attached to it. Or not, in which case the browser probably substitutes some defaults for them. Question 1: what are they?

Later, when the browser is about to make a request, it checks its cookies and filters out the ones it should send for that request. It does so by matching them against the requests path and domain. Question 2: what are the matching rules?


The reason I'm asking this is because I'm interested in some edge cases. Like:

  • Will a cookie for be available for
  • Will a cookie for be available for
  • Will a cookie for be available for
  • Will a cookie for be available for
  • Will be able to set cookie for
  • Will be able to set cookie for
  • Will be able to set cookie for .com?
  • Etc.

Added 2:

Also, could someone suggest how I should set a cookie so that:

  • It can be set by either or;
  • It is accessible by both and


@xiaoke 2019-08-09 18:51:46

I tested all the cases in the latest Chrome, Firefox, Safari in 2019.

Response to Added:

  • Will a cookie for be available for YES
  • Will a cookie for be available for YES
  • Will a cookie for be available for NO, Domain without wildcard only matches itself.
  • Will a cookie for be available for NO
  • Will be able to set cookie for NO, it will be able to set cookie for '', but not ''.
  • Will be able to set cookie for NO. But it can set cookie for, which can access.
  • Will be able to set cookie for .com? NO

@ZhongYu 2015-06-05 21:45:04

The previous answers are a little outdated.

RFC 6265 was published in 2011, based on the browser consensus at that time. Since then, there has been some complication with public suffix domains. I've written an article explaining the current situation -

To summarize, rules to follow regarding cookie domain:

  • The origin domain of a cookie is the domain of the originating request.

  • If the origin domain is an IP, the cookie's domain attribute must not be set.

  • If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.

  • If a cookie's domain attribute is set,

    • the cookie is applicable to that domain and all its subdomains;
    • the cookie's domain must be the same as, or a parent of, the origin domain
    • the cookie's domain must not be a TLD, a public suffix, or a parent of a public suffix.

It can be derived that a cookie is always applicable to its origin domain.

The cookie domain should not have a leading dot, as in - simply use

As an example,

  • can set a cookie domain to itself or parents -,, But not com, which is a public suffix.
  • a cookie with is applicable to,, etc.

Examples of public suffixes - com, edu, uk,,,

@roelleor 2015-07-09 07:47:25

do all browsers follow RFC 6265?

@ZhongYu 2015-07-09 14:07:04

@roelleor - it's the other way around. rfc6265 was written to summarize how cookies were actually handled in practice :) yes, the rfc is a pretty accurate reflection of how major browsers behave. my recent tests on browsers confirmed that. although, they may differ on corner cases involving public suffixes.

@UpTheCreek 2015-11-18 11:58:00

What are the consequences of a leading dot?

@ZhongYu 2015-12-08 21:05:15

@UpTheCreek - according to rfc6265, leading dot should be ignored by client

@Royi Namir 2019-03-18 07:48:07

Isn't it strange that can set a cookie to ?

@Ioanna 2019-05-07 03:38:34

So if can set a cookie to, and a cookie with domain is applicable to Does that mean that can set a cookie to

@Gumbo 2009-06-30 13:43:09

Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape.

There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field and the latter is the interpretation of that attribute value. According to the RFC 2965, the following should apply:

  • If the Set-Cookie header field does not have a Domain attribute, the effective domain is the domain of the request.
  • If there is a Domain attribute present, its value will be used as effective domain (if the value does not start with a . it will be added by the client).

Having the effective domain it must also domain-match the current requested domain for being set; otherwise the cookie will be revised. The same rule applies for choosing the cookies to be sent in a request.

Mapping this knowledge onto your questions, the following should apply:

  • Cookie with will be available for
  • Cookie with will be available for
  • Cookie with will be converted to and thus will also be available for
  • Cookie with will not be available for
  • will be able to set cookie for
  • will not be able to set cookie for
  • will not be able to set cookie for .com

And to set and read a cookie for/by and, set it for and respectively. But the first ( will only be accessible for other domains below that domain (e.g. or where can also be accessed by any other domain below (e.g. or

@Pacerier 2012-07-18 05:09:29

@Gumbo So can access the cookie with domain

@errah 2014-04-09 02:43:55

very late follow up question to this one. My own experience and this:… suggest that the domain of will not be available to, but this example suggests otherwise. Is this example wrong, or am I (quite possible) misunderstanding. Sorry for thread necromancy but wanted to make sure this excellent answer was 100% accurate for future confused newbies like me :)

@ZhongYu 2015-06-05 22:11:31

this answer is a little outdated; see my answer below.

@Nabeel Khan 2016-01-26 04:57:30

why not setting for be available for (as it's a "www" sub of

@joeforker 2018-08-28 12:47:43

Set-Cookie2 is itself obsolete. Continue to use Set-Cookie.

@Victor Akimov 2013-09-12 15:08:50

The last (third to be exactly) RFC for this issue is RFC-6265 (Obsoletes RFC-2965 that in turn obsoletes RFC-2109).

According to it if the server omits the Domain attribute, the user agent will return the cookie only to the origin server (the server on which a given resource resides). But it's also warning that some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name (For example, if returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to as well).

When the Domain attribute have been specified, it will be treated as complete domain name (if there is the leading dot in attribute it will be ignored). Server should match the domain specified in attribute (have exactly the same domain name or to be a subdomain of it) to get this cookie. More accurately it specified here.

So, for example:

  • cookie attribute is equivalent to
  • cookies with such Domain attributes will be available for and
  • cookies with such Domain attributes will be not available for
  • specifying cookie attribute like will close the way for

PS: trailing comma in Domain attribute will cause the user agent to ignore the attribute =(

@Gert-Jan Strik 2013-05-10 15:47:57

There are rules that determine whether a browser will accept the Set-header response header (server-side cookie writing), a slightly different rules/interpretations for cookie set using Javascript (I haven't tested VBScript).

Then there are rules that determine whether the browser will send a cookie along with the page request.

There are differences between the major browser engines how domain matches are handled, and how parameters in path values are interpreted. You can find some empirical evidence in the article How Different Browsers Handle Cookies Differently

@user100034 2011-11-04 21:37:29

I was surprised to read section 3.3.2 about rejecting cookies:

That says that a browser should reject a cookie from with domain, because 'x.y' contains a dot. So, unless I am misinterpreting the RFC and/or the questions above, there could be questions added:

Will a cookie for be available for No.

Will a cookie set by origin server, with domain, have it's value sent by the user agent to No.

@ZhongYu 2015-06-05 20:58:37

that rfc is outdated. new rfc 6265, based on browser consensus, allows cookie with to be applied to and all subdomains.

@Julian Reschke 2010-05-07 15:01:20

The RFCs are known not to reflect reality.

Better check draft-ietf-httpstate-cookie, work in progress.

@TRiG 2010-05-07 14:16:15

Will be able to set cookie for .com?

No, but may be able to set a cookie for Firefox protects against this by maintaining a list of TLDs:

Apparently Internet Explorer doesn't allow two-letter domains to set cookies, which I suppose explains why simply redirects to I'd often wondered that.

@ZhongYu 2015-06-05 21:01:24

"" is konwn as "public suffix". cookie domain cannot be public suffix. see rfc 6265 and

@TRiG 2015-06-06 03:17:17

Yes, there's a solution, but it's an exceedingly messy one. This sort of labelling should be baked into the DNS, not done on an ad hoc basis separately.

@ZhongYu 2015-06-06 03:24:18

True, and maybe you are referring to "dbound". But that may create more problems; like, posing a challenge for http client implementations.

@Dtipson 2016-11-30 04:26:27

It would be useful if this information were exposed in some way from the browser to javascript. Otherwise, it's impossible to programmatically determine whether you can set a cookie on a certain level of domain. You can't check that list with every call after all!

@AnthonyWJones 2009-06-30 10:46:37

For an extensive coverage review the contents of RFC2965. Of course that doesn't necessarily mean that all browsers behave exactly the same way.

However in general the rule for default Path if none specified in the cookie is the path in the URL from which the Set-Cookie header arrived. Similarly the default for the Domain is the full host name in the URL from which the Set-Cookie arrived.

Matching rules for the domain require the cookie Domain to match the host to which the request is being made. The cookie can specify a wider domain match by include *. in the domain attribute of Set-Cookie (this one area that browsers may vary). Matching the path (assuming the domain matches) is a simple matter that the requested path must be inside the path specified on the cookie. Typically session cookies are set with path=/ or path=/applicationName/ so the cookie is available to all requests into the application.

Response to Added:

  • Will a cookie for be available for Yes
  • Will a cookie for be available for Don't Know
  • Will a cookie for be available for Shouldn't but... *
  • Will a cookie for be available for No
  • Will be able to set cookie for Yes
  • Will be able to set cookie for No (Except via
  • Will be able to set cookie for .com? No (Can't set a cookie this high up the namespace nor can you set one for something like

* I'm unable to test this right now but I have an inkling that at least IE7/6 would treat the path as if it were

@Vilx- 2009-06-30 10:58:33

I've added some interesting edge cases in my question. Could you maybe commend something on that?

Related Questions

Sponsored Content

17 Answered Questions

[SOLVED] What is the maximum length of a URL in different browsers?

  • 2009-01-06 16:14:30
  • Sander Versluys
  • 1206048 View
  • 4728 Score
  • 17 Answer
  • Tags:   http url browser

25 Answered Questions

[SOLVED] How can I safely create a nested directory?

7 Answered Questions

[SOLVED] Local Storage vs Cookies

19 Answered Questions

[SOLVED] Cookies on localhost with explicit domain

  • 2009-07-15 21:47:55
  • Jan Zich
  • 197961 View
  • 175 Score
  • 19 Answer
  • Tags:   cookies setcookie

26 Answered Questions

[SOLVED] How do we control web page caching, across all browsers?

13 Answered Questions

[SOLVED] How do I set/unset a cookie with jQuery?

12 Answered Questions

[SOLVED] Cross-Domain Cookies

4 Answered Questions

[SOLVED] Why is it common to put CSRF prevention tokens in cookies?

2 Answered Questions

[SOLVED] Domain set cookie for subdomain

1 Answered Questions

[SOLVED] Domain in cookies

Sponsored Content