By Vilx-


2009-06-30 10:35:39 8 Comments

Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences.

In other words - when a browser receives a cookie, that cookie MAY have a domain and a path attached to it. Or not, in which case the browser probably substitutes some defaults for them. Question 1: what are they?

Later, when the browser is about to make a request, it checks its cookies and filters out the ones it should send for that request. It does so by matching them against the requests path and domain. Question 2: what are the matching rules?


Added:

The reason I'm asking this is because I'm interested in some edge cases. Like:

  • Will a cookie for .example.com be available for www.example.com?
  • Will a cookie for .example.com be available for example.com?
  • Will a cookie for example.com be available for www.example.com?
  • Will a cookie for example.com be available for anotherexample.com?
  • Will www.example.com be able to set cookie for example.com?
  • Will www.example.com be able to set cookie for www2.example.com?
  • Will www.example.com be able to set cookie for .com?
  • Etc.

Added 2:

Also, could someone suggest how I should set a cookie so that:

  • It can be set by either www.example.com or example.com;
  • It is accessible by both www.example.com and example.com.

9 comments

@xiaoke 2019-08-09 18:51:46

I tested all the cases in the latest Chrome, Firefox, Safari in 2019.

Response to Added:

  • Will a cookie for .example.com be available for www.example.com? YES
  • Will a cookie for .example.com be available for example.com? YES
  • Will a cookie for example.com be available for www.example.com? NO, Domain without wildcard only matches itself.
  • Will a cookie for example.com be available for anotherexample.com? NO
  • Will www.example.com be able to set cookie for example.com? NO, it will be able to set cookie for '.example.com', but not 'example.com'.
  • Will www.example.com be able to set cookie for www2.example.com? NO. But it can set cookie for .example.com, which www2.example.com can access.
  • Will www.example.com be able to set cookie for .com? NO

@ZhongYu 2015-06-05 21:45:04

The previous answers are a little outdated.

RFC 6265 was published in 2011, based on the browser consensus at that time. Since then, there has been some complication with public suffix domains. I've written an article explaining the current situation - http://bayou.io/draft/cookie.domain.html

To summarize, rules to follow regarding cookie domain:

  • The origin domain of a cookie is the domain of the originating request.

  • If the origin domain is an IP, the cookie's domain attribute must not be set.

  • If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.

  • If a cookie's domain attribute is set,

    • the cookie is applicable to that domain and all its subdomains;
    • the cookie's domain must be the same as, or a parent of, the origin domain
    • the cookie's domain must not be a TLD, a public suffix, or a parent of a public suffix.

It can be derived that a cookie is always applicable to its origin domain.

The cookie domain should not have a leading dot, as in .foo.com - simply use foo.com

As an example,

  • x.y.z.com can set a cookie domain to itself or parents - x.y.z.com, y.z.com, z.com. But not com, which is a public suffix.
  • a cookie with domain=y.z.com is applicable to y.z.com, x.y.z.com, a.x.y.z.com etc.

Examples of public suffixes - com, edu, uk, co.uk, blogspot.com, compute.amazonaws.com

@roelleor 2015-07-09 07:47:25

do all browsers follow RFC 6265?

@ZhongYu 2015-07-09 14:07:04

@roelleor - it's the other way around. rfc6265 was written to summarize how cookies were actually handled in practice :) yes, the rfc is a pretty accurate reflection of how major browsers behave. my recent tests on browsers confirmed that. although, they may differ on corner cases involving public suffixes.

@UpTheCreek 2015-11-18 11:58:00

What are the consequences of a leading dot?

@ZhongYu 2015-12-08 21:05:15

@UpTheCreek - according to rfc6265, leading dot should be ignored by client

@Royi Namir 2019-03-18 07:48:07

Isn't it strange that x.y.z.com can set a cookie to z.com ?

@Ioanna 2019-05-07 03:38:34

So if x.y.z.com can set a cookie to y.z.com, and a cookie with domain y.z.com is applicable to w.y.z.com... Does that mean that x.y.z.com can set a cookie to w.y.z.com?

@Gumbo 2009-06-30 13:43:09

Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape.

There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field and the latter is the interpretation of that attribute value. According to the RFC 2965, the following should apply:

  • If the Set-Cookie header field does not have a Domain attribute, the effective domain is the domain of the request.
  • If there is a Domain attribute present, its value will be used as effective domain (if the value does not start with a . it will be added by the client).

Having the effective domain it must also domain-match the current requested domain for being set; otherwise the cookie will be revised. The same rule applies for choosing the cookies to be sent in a request.


Mapping this knowledge onto your questions, the following should apply:

  • Cookie with Domain=.example.com will be available for www.example.com
  • Cookie with Domain=.example.com will be available for example.com
  • Cookie with Domain=example.com will be converted to .example.com and thus will also be available for www.example.com
  • Cookie with Domain=example.com will not be available for anotherexample.com
  • www.example.com will be able to set cookie for example.com
  • www.example.com will not be able to set cookie for www2.example.com
  • www.example.com will not be able to set cookie for .com

And to set and read a cookie for/by www.example.com and example.com, set it for .www.example.com and .example.com respectively. But the first (.www.example.com) will only be accessible for other domains below that domain (e.g. foo.www.example.com or bar.www.example.com) where .example.com can also be accessed by any other domain below example.com (e.g. foo.example.com or bar.example.com).

@Pacerier 2012-07-18 05:09:29

@Gumbo So a.b.c.example.com can access the cookie with domain c.example.com?

@errah 2014-04-09 02:43:55

very late follow up question to this one. My own experience and this: webmasters.stackexchange.com/questions/55790/… suggest that the domain of example.com will not be available to www.example.com, but this example suggests otherwise. Is this example wrong, or am I (quite possible) misunderstanding. Sorry for thread necromancy but wanted to make sure this excellent answer was 100% accurate for future confused newbies like me :)

@ZhongYu 2015-06-05 22:11:31

this answer is a little outdated; see my answer below.

@Nabeel Khan 2016-01-26 04:57:30

why not setting for example.com be available for www.example.com? (as it's a "www" sub of example.com?

@joeforker 2018-08-28 12:47:43

Set-Cookie2 is itself obsolete. Continue to use Set-Cookie.

@Victor Akimov 2013-09-12 15:08:50

The last (third to be exactly) RFC for this issue is RFC-6265 (Obsoletes RFC-2965 that in turn obsoletes RFC-2109).

According to it if the server omits the Domain attribute, the user agent will return the cookie only to the origin server (the server on which a given resource resides). But it's also warning that some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name (For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well).

When the Domain attribute have been specified, it will be treated as complete domain name (if there is the leading dot in attribute it will be ignored). Server should match the domain specified in attribute (have exactly the same domain name or to be a subdomain of it) to get this cookie. More accurately it specified here.

So, for example:

  • cookie attribute Domain=.example.com is equivalent to Domain=example.com
  • cookies with such Domain attributes will be available for example.com and www.example.com
  • cookies with such Domain attributes will be not available for another-example.com
  • specifying cookie attribute like Domain=www.example.com will close the way for www4.example.com

PS: trailing comma in Domain attribute will cause the user agent to ignore the attribute =(

@Gert-Jan Strik 2013-05-10 15:47:57

There are rules that determine whether a browser will accept the Set-header response header (server-side cookie writing), a slightly different rules/interpretations for cookie set using Javascript (I haven't tested VBScript).

Then there are rules that determine whether the browser will send a cookie along with the page request.

There are differences between the major browser engines how domain matches are handled, and how parameters in path values are interpreted. You can find some empirical evidence in the article How Different Browsers Handle Cookies Differently

@user100034 2011-11-04 21:37:29

I was surprised to read section 3.3.2 about rejecting cookies:

http://tools.ietf.org/html/rfc2965

That says that a browser should reject a cookie from x.y.z.com with domain .z.com, because 'x.y' contains a dot. So, unless I am misinterpreting the RFC and/or the questions above, there could be questions added:

Will a cookie for .example.com be available for www.yyy.example.com? No.

Will a cookie set by origin server www.yyy.example.com, with domain .example.com, have it's value sent by the user agent to xxx.example.com? No.

@ZhongYu 2015-06-05 20:58:37

that rfc is outdated. new rfc 6265, based on browser consensus, allows cookie with z.com to be applied to z.com and all subdomains.

@Julian Reschke 2010-05-07 15:01:20

The RFCs are known not to reflect reality.

Better check draft-ietf-httpstate-cookie, work in progress.

@ZhongYu 2015-06-05 20:59:18

now officially rfc 6265.

@TRiG 2010-05-07 14:16:15

Will www.example.com be able to set cookie for .com?

No, but example.com.fr may be able to set a cookie for example2.com.fr. Firefox protects against this by maintaining a list of TLDs: http://securitylabs.websense.com/content/Blogs/3108.aspx

Apparently Internet Explorer doesn't allow two-letter domains to set cookies, which I suppose explains why o2.ie simply redirects to o2online.ie. I'd often wondered that.

@ZhongYu 2015-06-05 21:01:24

"com.fr" is konwn as "public suffix". cookie domain cannot be public suffix. see rfc 6265 and publicsuffix.org

@TRiG 2015-06-06 03:17:17

Yes, there's a solution, but it's an exceedingly messy one. This sort of labelling should be baked into the DNS, not done on an ad hoc basis separately.

@ZhongYu 2015-06-06 03:24:18

True, and maybe you are referring to "dbound". But that may create more problems; like, posing a challenge for http client implementations.

@Dtipson 2016-11-30 04:26:27

It would be useful if this information were exposed in some way from the browser to javascript. Otherwise, it's impossible to programmatically determine whether you can set a cookie on a certain level of domain. You can't check that list with every call after all!

@AnthonyWJones 2009-06-30 10:46:37

For an extensive coverage review the contents of RFC2965. Of course that doesn't necessarily mean that all browsers behave exactly the same way.

However in general the rule for default Path if none specified in the cookie is the path in the URL from which the Set-Cookie header arrived. Similarly the default for the Domain is the full host name in the URL from which the Set-Cookie arrived.

Matching rules for the domain require the cookie Domain to match the host to which the request is being made. The cookie can specify a wider domain match by include *. in the domain attribute of Set-Cookie (this one area that browsers may vary). Matching the path (assuming the domain matches) is a simple matter that the requested path must be inside the path specified on the cookie. Typically session cookies are set with path=/ or path=/applicationName/ so the cookie is available to all requests into the application.


Response to Added:

  • Will a cookie for .example.com be available for www.example.com? Yes
  • Will a cookie for .example.com be available for example.com? Don't Know
  • Will a cookie for example.com be available for www.example.com? Shouldn't but... *
  • Will a cookie for example.com be available for anotherexample.com? No
  • Will www.example.com be able to set cookie for example.com? Yes
  • Will www.example.com be able to set cookie for www2.example.com? No (Except via .example.com)
  • Will www.example.com be able to set cookie for .com? No (Can't set a cookie this high up the namespace nor can you set one for something like .co.uk).

* I'm unable to test this right now but I have an inkling that at least IE7/6 would treat the path example.com as if it were .example.com.

@Vilx- 2009-06-30 10:58:33

I've added some interesting edge cases in my question. Could you maybe commend something on that?

Related Questions

Sponsored Content

26 Answered Questions

[SOLVED] How do we control web page caching, across all browsers?

13 Answered Questions

[SOLVED] How do I set/unset a cookie with jQuery?

25 Answered Questions

[SOLVED] How can I safely create a nested directory?

12 Answered Questions

[SOLVED] Cross-Domain Cookies

16 Answered Questions

[SOLVED] What is the maximum length of a URL in different browsers?

  • 2009-01-06 16:14:30
  • Sander Versluys
  • 1161746 View
  • 4597 Score
  • 16 Answer
  • Tags:   http url browser

17 Answered Questions

[SOLVED] Cookies on localhost with explicit domain

  • 2009-07-15 21:47:55
  • Jan Zich
  • 183217 View
  • 166 Score
  • 17 Answer
  • Tags:   cookies setcookie

6 Answered Questions

[SOLVED] Local Storage vs Cookies

2 Answered Questions

[SOLVED] Domain set cookie for subdomain

1 Answered Questions

[SOLVED] Domain in cookies

3 Answered Questions

[SOLVED] It's possible to share a cookie between 'some' subdomains?

  • 2009-07-16 06:23:51
  • Cesar
  • 15314 View
  • 22 Score
  • 3 Answer
  • Tags:   http cookies

Sponsored Content