The domain property of a cookie in depth

About

This page is about the domain property of a cookie 1) that is part of the scope that determine to which resource the browser cookies are added to the request (ie returned to the server).

The Domain attribute specifies the hosts (port excluded) to which the cookie will be sent.

Setting the cookie domain value to all subdomains (i.e., *.website.com) will sent all this cookie automatically to all sub-domain HTTP request and as cookie may also holds credentials information (ie session cookie), great care should be taken to set the domain as restrictive as possible.

Example

Management

Not set

If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.

Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to www.example.com as well.

Set

The domain of a cookie is set by the server via the Set-Cookie header and not by the user-agent (browser).

In javascript, setting cookies to foreign domains are silently ignored.

First party domain

Example for a first party from foo.example.com, the user agent (browser) will :

  • accept:
    • example.com
    • or foo.example.com
  • reject:
    • bar.example.com
    • or baz.foo.example.com

Third party domain

See What is a Third-party (3P) Cookie and how it works?

Bad Domain

If the apex/registered domain of the cookie domain does not match the apex domain of the requested URL, the cookie is ignored and you get the below warning.

This set-cookie was blocked because its Domain attribute was invalid with regards to the current host url

Set Cookie Block Bad Domain Att Vs Current Host Url

Top Level Domain

public suffixes such as com or co.uk are rejected.





Discover More
Cookie Scope Name
Cookie - Scope

The scope of a cookie name is a calculated property defined by the concatenation of the and attributes. If the request URL matches the scope (ie domain and path expression), the user agent (browser)...
Devtool Tracking Cookie Identifier Counter
How does a tracking cookie work? A step by step example

This page shows you a basic example of a tracking ... cookie so that you can understand and implement the underlying mechanisms. These cookies are third-party cookie. A tracking cookie is also known...
Browser
Web Browser - Same-Origin Policy

User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent. browserHTTP client program The...
Chrome Cookies
What is a Cookie? (HTTP Set-Cookie Header )

A cookie is: a key-value data with some associated that control how the browser should manage them. set by a HTTP response via the set-cookie header The received cookies by the browser can be...
Chrome Cookie Configuration
What is a Third-party (3P) Cookie and how it works?

Third party Cookies are cookies created by other sites (ie that comes from another domain (ie a third party) than the hosted web page. These sites own some of the content, like ads or images, that you...



Share this page:
Follow us:
Task Runner