HTTP - Domain value of a Cookie

> (World Wide) Web - (W3|WWW) > (HTTP|HTTPS) - Hypertext Transfer Protocol

1 - About

This page is about the domain property of a cookie.

The definition can be found in the rfc6265 section 5.2.3

The Domain attribute specifies those hosts to which the cookie will be sent.

It's a bad practice for a website to set cookies as accessible to all subdomains (i.e., *.website.com) because the cookies are automatically sent to all sub-domain HTTP request and as cookie are also used for cookie authentication (anyone in possession of this cookie can impersonate the user and access private user information)

Advertising

3 - Example

  • if the value of the Domain attribute is:
    • example.com
  • the user agent (browser) will include the cookie for request to
    • example.com,
    • www.example.com,
    • and www.corp.example.com

4 - Management

4.1 - Not set

If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.

Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to www.example.com as well.

4.2 - Set

The domain of a cookie is set by the server via the Set-Cookie header and not by the user-agent (browser).

In javascript, setting cookies to foreign domains are silently ignored.

Advertising

4.2.1 - First party domain

Example from foo.example.com, the user agent (browser) will :

  • accept:
    • example.com
    • or foo.example.com
  • reject:
    • bar.example.com
    • or baz.foo.example.com

public suffixes such as com or co.uk are rejected.

4.2.2 - Third party domain