How do browser cookie domains work?

http cookies path dns rules

262,524

Solution 1

Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape.

There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field and the latter is the interpretation of that attribute value. According to the RFC 2965, the following should apply:

If the Set-Cookie header field does not have a Domain attribute, the effective domain is the domain of the request.
If there is a Domain attribute present, its value will be used as effective domain (if the value does not start with a . it will be added by the client).

Having the effective domain it must also domain-match the current requested domain for being set; otherwise the cookie will be revised. The same rule applies for choosing the cookies to be sent in a request.

Mapping this knowledge onto your questions, the following should apply:

Cookie with Domain=.example.com will be available for www.example.com
Cookie with Domain=.example.com will be available for example.com
Cookie with Domain=example.com will be converted to .example.com and thus will also be available for www.example.com
Cookie with Domain=example.com will not be available for anotherexample.com
www.example.com will be able to set cookie for example.com
www.example.com will not be able to set cookie for www2.example.com
www.example.com will not be able to set cookie for .com

And to set and read a cookie for/by www.example.com and example.com, set it for .www.example.com and .example.com respectively. But the first (.www.example.com) will only be accessible for other domains below that domain (e.g. foo.www.example.com or bar.www.example.com) where .example.com can also be accessed by any other domain below example.com (e.g. foo.example.com or bar.example.com).

Solution 2

The previous answers are a little outdated.

RFC 6265 was published in 2011, based on the browser consensus at that time. Since then, there has been some complication with public suffix domains. I've written an article explaining the current situation - http://bayou.io/draft/cookie.domain.html

To summarize, rules to follow regarding cookie domain:

The origin domain of a cookie is the domain of the originating request.
If the origin domain is an IP, the cookie's domain attribute must not be set.
If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.
If a cookie's domain attribute is set,
- the cookie is applicable to that domain and all its subdomains;
- the cookie's domain must be the same as, or a parent of, the origin domain
- the cookie's domain must not be a TLD, a public suffix, or a parent of a public suffix.

It can be derived that a cookie is always applicable to its origin domain.

The cookie domain should not have a leading dot, as in .foo.com - simply use foo.com

As an example,

x.y.z.com can set a cookie domain to itself or parents - x.y.z.com, y.z.com, z.com. But not com, which is a public suffix.
a cookie with domain=y.z.com is applicable to y.z.com, x.y.z.com, a.x.y.z.com etc.

Examples of public suffixes - com, edu, uk, co.uk, blogspot.com, compute.amazonaws.com

Solution 3

For an extensive coverage review the contents of RFC2965. Of course that doesn't necessarily mean that all browsers behave exactly the same way.

However in general the rule for default Path if none specified in the cookie is the path in the URL from which the Set-Cookie header arrived. Similarly the default for the Domain is the full host name in the URL from which the Set-Cookie arrived.

Matching rules for the domain require the cookie Domain to match the host to which the request is being made. The cookie can specify a wider domain match by include *. in the domain attribute of Set-Cookie (this one area that browsers may vary). Matching the path (assuming the domain matches) is a simple matter that the requested path must be inside the path specified on the cookie. Typically session cookies are set with path=/ or path=/applicationName/ so the cookie is available to all requests into the application.

__Response to Added:__

Will a cookie for .example.com be available for www.example.com? Yes
Will a cookie for .example.com be available for example.com? Don't Know
Will a cookie for example.com be available for www.example.com? Shouldn't but... *
Will a cookie for example.com be available for anotherexample.com? No
Will www.example.com be able to set cookie for example.com? Yes
Will www.example.com be able to set cookie for www2.example.com? No (Except via .example.com)
Will www.example.com be able to set cookie for .com? No (Can't set a cookie this high up the namespace nor can you set one for something like .co.uk).

* I'm unable to test this right now but I have an inkling that at least IE7/6 would treat the path example.com as if it were .example.com.

Solution 4

I tested all the cases in the latest Chrome, Firefox, Safari in 2019.

Response to Added:

Will a cookie for .example.com be available for www.example.com? YES
Will a cookie for .example.com be available for example.com? YES
Will a cookie for example.com be available for www.example.com? NO, Domain without wildcard only matches itself.
Will a cookie for example.com be available for anotherexample.com? NO
Will www.example.com be able to set cookie for example.com? NO, it will be able to set cookie for '.example.com', but not 'example.com'.
Will www.example.com be able to set cookie for www2.example.com? NO. But it can set cookie for .example.com, which www2.example.com can access.
Will www.example.com be able to set cookie for .com? NO

Solution 5

The last (third to be exactly) RFC for this issue is RFC-6265 (Obsoletes RFC-2965 that in turn obsoletes RFC-2109).

According to it if the server omits the Domain attribute, the user agent will return the cookie only to the origin server (the server on which a given resource resides). But it's also warning that some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name (For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well).

When the Domain attribute have been specified, it will be treated as complete domain name (if there is the leading dot in attribute it will be ignored). Server should match the domain specified in attribute (have exactly the same domain name or to be a subdomain of it) to get this cookie. More accurately it specified here.

So, for example:

cookie attribute Domain=.example.com is equivalent to Domain=example.com
cookies with such Domain attributes will be available for example.com and www.example.com
cookies with such Domain attributes will be not available for another-example.com
specifying cookie attribute like Domain=www.example.com will close the way for www4.example.com

PS: trailing comma in Domain attribute will cause the user agent to ignore the attribute =(

View more solutions

262,524

Author by

Vilx-

Just your average everyday programmer. #SOreadytohelp

Updated on August 24, 2020

Comments

Vilx- almost 4 years
Due to weird domain/subdomain cookie issues that I'm getting, I'd like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know the differences.

In other words - when a browser receives a cookie, that cookie MAY have a domain and a path attached to it. Or not, in which case the browser probably substitutes some defaults for them. Question 1: what are they?

Later, when the browser is about to make a request, it checks its cookies and filters out the ones it should send for that request. It does so by matching them against the requests path and domain. Question 2: what are the matching rules?
Added:

The reason I'm asking this is because I'm interested in some edge cases. Like:
- Will a cookie for .example.com be available for www.example.com?
- Will a cookie for .example.com be available for example.com?
- Will a cookie for example.com be available for www.example.com?
- Will a cookie for example.com be available for anotherexample.com?
- Will www.example.com be able to set cookie for example.com?
- Will www.example.com be able to set cookie for www2.example.com?
- Will www.example.com be able to set cookie for .com?
- Etc.
Added 2:

Also, could someone suggest how I should set a cookie so that:
- It can be set by either www.example.com or example.com;
- It is accessible by both www.example.com and example.com.
Vilx- about 15 years

I've added some interesting edge cases in my question. Could you maybe commend something on that?
Pacerier almost 12 years

@Gumbo So a.b.c.example.com can access the cookie with domain c.example.com?
errah about 10 years

very late follow up question to this one. My own experience and this: webmasters.stackexchange.com/questions/55790/… suggest that the domain of example.com will not be available to www.example.com, but this example suggests otherwise. Is this example wrong, or am I (quite possible) misunderstanding. Sorry for thread necromancy but wanted to make sure this excellent answer was 100% accurate for future confused newbies like me :)
ZhongYu about 9 years

that rfc is outdated. new rfc 6265, based on browser consensus, allows cookie with z.com to be applied to z.com and all subdomains.
ZhongYu about 9 years

"com.fr" is konwn as "public suffix". cookie domain cannot be public suffix. see rfc 6265 and publicsuffix.org
ZhongYu about 9 years

this answer is a little outdated; see my answer below.
TRiG about 9 years

Yes, there's a solution, but it's an exceedingly messy one. This sort of labelling should be baked into the DNS, not done on an ad hoc basis separately.
ZhongYu about 9 years

True, and maybe you are referring to "dbound". But that may create more problems; like, posing a challenge for http client implementations.
roelleor almost 9 years

do all browsers follow RFC 6265?
ZhongYu almost 9 years

@roelleor - it's the other way around. rfc6265 was written to summarize how cookies were actually handled in practice :) yes, the rfc is a pretty accurate reflection of how major browsers behave. my recent tests on browsers confirmed that. although, they may differ on corner cases involving public suffixes.
UpTheCreek over 8 years

What are the consequences of a leading dot?
ZhongYu over 8 years

@UpTheCreek - according to rfc6265, leading dot should be ignored by client
Nabeel Khan over 8 years

why not setting for example.com be available for www.example.com? (as it's a "www" sub of example.com?
Dtipson over 7 years

It would be useful if this information were exposed in some way from the browser to javascript. Otherwise, it's impossible to programmatically determine whether you can set a cookie on a certain level of domain. You can't check that list with every call after all!
joeforker almost 6 years

Set-Cookie2 is itself obsolete. Continue to use Set-Cookie.
Royi Namir over 5 years

Isn't it strange that x.y.z.com can set a cookie to z.com ?
Ioanna about 5 years

So if x.y.z.com can set a cookie to y.z.com, and a cookie with domain y.z.com is applicable to w.y.z.com... Does that mean that x.y.z.com can set a cookie to w.y.z.com?
Devy about 4 years

The leading domain in cookie domain is a misnomer. And your answers directly contradicting with Mozilla's documentation on Cookie: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie see the Domain section: Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.
Number945 over 3 years

All the list of public suffix for which cookies cannot be set : github.com/publicsuffix/list/blob/master/public_suffix_list.‌dat
torez233 about 3 years

thanks for pointing out the domain-match algorithm. After reading through it, I find it very easy to verify the examples listed in your answer.
torez233 about 3 years

@Ioanna if you are talking the in the response from x.y.z.com, the domain attribute value for the cookie is w.y.z.com, then I think the answer is no. x.y.z.com cannot directly set the cookie whose domain to be w.y.z.com, as x.y.z.com does not domain-match the w.y.z.com, as latter is not a suffix of the former. However, I think x.y.z.com can indirectly set a cookie for w.y.z.com, by setting the cookie for y.z.com and that cookie will be sent to w.y.z.com as well, assuming y.z.com is not a public suffix
Alex about 2 years

"the cookie's domain must be the same as, or a parent of, the origin domain" this is key. From rfc6265: "If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps." (request-host is the server sending the cookie, and domain-match means it equals to or ends with the string).