HTTP - Domain value of a Cookie


This page is about the domain property of a cookie that is part of the scope that determine to which resource the browser cookies are added to the request (ie returned to the server).

The Domain attribute specifies the hosts (port excluded) to which the cookie will be sent.

Setting the cookie domain value to all subdomains (i.e., * will sent all this cookie automatically to all sub-domain HTTP request and as cookie may also holds credentials information (ie session cookie), great care should be taken to set the domain as restrictive as possible.



Not set

If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.

Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to as well.


The domain of a cookie is set by the server via the Set-Cookie header and not by the user-agent (browser).

In javascript, setting cookies to foreign domains are silently ignored.

First party domain

Example from, the user agent (browser) will :

  • accept:
    • or
  • reject:
    • or

Third party domain

Bad Domain

If the apex/registered domain of the cookie domain does not match the apex domain of the requested URL, the cookie is ignored and you get the below warning.

This set-cookie was blocked because its Domain attribute was invalid with regards to the current host url

Top Level Domain

public suffixes such as com or are rejected.

Documentation / Reference

Powered by ComboStrap