Can subdomain.example.com set a cookie that can be read by example.com?

http cookies subdomain
140,249

Solution 1

Quoting from the same RFC2109 you read:

       * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
         be accepted.

So subdomain.example.com can set a cookie for .example.com. So far so good.

       The following rules apply to choosing applicable cookie-values from
       among all the cookies the user agent has.

       Domain Selection
            The origin server's fully-qualified host name must domain-match
            the Domain attribute of the cookie

So do we have a domain-match?

   * A is a FQDN string and has the form NB, where N is a non-empty name
     string, B has the form .B', and B' is a FQDN string.  (So, x.y.com
     domain-matches .y.com but not y.com.)

But now example.com wouldn't domain-match .example.com according to the definition. But www.example.com (or any other "non-empty name" in the domain) would. This RFC is in theory obsoleted by RFC2965, which dictated things about forcing a leading dot for domains on Set-Cookie2 operations.

More important, as noted by @Tony, is the real world. For a glimpse into what actual user agents are doing, see

Firefox 3's nsCookieService.cpp

and

Chrome's cookie_monster.cc

For perspective into what actual sites are doing, try playing with wget using --save-cookies, --load-cookies, and --debug to see what's going on.

You'll likely find that in fact most sites are using some combination of Set-Cookie from the older RFC spec with "Host" values, implicitly without a leading dot (as twitter.com does) or setting Domain values (with a leading dot) and redirecting to a server like www.example.com (as google.com does).

Solution 2

If the browser implements RFC 6265, which any modern browser should be doing at this point, then a cookie set for .example.com will have the leading dot ignored (section 5.2.3), and the cookie will then be sent to the naked domain and to all subdomains.

Don't rely on this behavior if you have significant traffic from older browsers; this RFC only dates to 2011.

Solution 3

It should not be possible. However, as you said, since this isn't a widely documented standard, it depends on what piece of software you're using.

Most modern browsers adhere to a defined "web security model". The model effectively governs the behavior of browsers with regards to security, on things like cookies (specifically how they will be sent back to any given website). The model also has the rule that "browsers don't send cookies to domain names that didn't set them."

That being said, domain.com should be able to set cookies for js.domain.com. js.domain.com, however, can only set cookies for itself. But this is all depending on what browser you're using.

Share:
140,249

Related videos on Youtube

Evan Plaice
Author by

Evan Plaice

I'm passionate about coding and researching the history of technology as well as exploring where technology is leading. I have a wide variety of experience from Commercial Flight Simulation, Military Contracting, Telecommunications, as well as regularly contributing to the Open Source Software ecosystem for a number of years. I have specialized in dancing the line between Hardware (ex IO, Low-voltage signaling, telecom) and Software (ex networking, parsing, desktop dev, web dev). Author of jQuery-CSV, the first of the RFC-compliant CSV parsers for Javascript with 500K+ downloads over 5 years. Projects I've worked on: SharpPcap/Packet.Net (Contibutor) - A C# wrapper and parsing framework for winpcap/libpcap for network packet capturing. pypreprocessor (Author) - A python-only preprocessor that uses c-style preprocessor directives. jQuery-csv (Author) - A jQuery to parse CSV files to javascript code. node-ftpsync (Author) - Intelligent file syncronization over FTP grunt-ftpsync (Author) - A grunt wrapper for node-ftpsync sublime-text-seed (Author) - Cross-platform starter for Sublime Test dev angular2-snippets (Author) - Sublime text snippets for Angular 4+ angular-es6-seed (Author) - Angular 4+ starter using ES6 ng2-markdown (Author) - An Angular 4+ web component I've done everything from designing websites to parsing ARINC-424 data from binary. It doesn't really matter to me. I enjoy the challenge even if that means spending hours digging through technical specifications. Lately I've been playing with Node.js and Angular to do some interesting things. I keep coming back to Stack Overflow because it keeps reminding me of how little I know about software development. What interests me about software development is the potential for improvement as platforms continue to develop and stabilize. I thrive in environments riddled with chaos because those are the places where there is the most potential for improvement and creativity.

Updated on September 18, 2022

Comments

  • Evan Plaice
    Evan Plaice over 1 year

    I simply cannot believe this is quite so hard to determine.

    Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

    subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.

    Can anyone clarify what the rules really are?

    • Philip
      Philip over 9 years
      This question should have been closed/migrated back when it was asked, but since it gained a lot of attention I'm going to lock it instead of closing. See stackoverflow.com/questions/3089199/… for the dupe, on the correct site.
  • medina
    medina almost 14 years
    Leading dot is only forced by the more recent RFC. example.com can set cookies for "example.com" and ".example.com"; the latter can be read by www.example.com. Use the wget commands shown to see what's happening.
  • Pacerier
    Pacerier about 11 years
    @medina, Can a user set cookies at x1.y.z and read it at x2.y.z?
  • Michael Hampton
    Michael Hampton about 11 years
    @Pacerier Only if (1) you set the cookie for y.z and (2) the user-agent implements RFC 6265.
  • Pacerier
    Pacerier about 11 years
    @MichaelHampton, don't browsers implement RFC 6265?
  • Michael Hampton
    Michael Hampton about 11 years
    @Pacerier You'll have to ask them, or check their source code.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting cookies for multiple sub-domains
Can subdomain.example.com set a cookie that can be read by example.com?
Share cookie between subdomain and domain
How can I add multiple headers in Flutter GET Api request
NGINX set cookie based on value of a header
Sharing Cookie between different ports
Android: Handle Cookie from HTTP Get-Request
How to fix 'http: named cookie not present' in golang?
Change Cookie expiry date - HTTP
Setting a cookie on a subdomain from an ajax request