HTTP - Domain value of a Cookie
Table of Contents
About
This page is about the domain property of a cookie that is part of the scope that determine to which resource the browser cookies are added to the request (ie returned to the server).
The Domain attribute specifies the hosts (port excluded) to which the cookie will be sent.
Setting the cookie domain value to all subdomains (i.e., *.website.com) will sent all this cookie automatically to all sub-domain HTTP request and as cookie may also holds credentials information (ie session cookie), great care should be taken to set the domain as restrictive as possible.
Articles Related
Example
- if the value of the Domain attribute is:
- example.com
-
- example.com,
Management
Not set
If the Domain attribute is omitted, the user agent will return the cookie only to the origin server.
Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. These user agents will erroneously send the cookie to www.example.com as well.
Set
The domain of a cookie is set by the server via the Set-Cookie header and not by the user-agent (browser).
In javascript, setting cookies to foreign domains are silently ignored.
First party domain
Example from foo.example.com, the user agent (browser) will :
- accept:
- example.com
- or foo.example.com
- reject:
- bar.example.com
- or baz.foo.example.com
Third party domain
Bad Domain
If the apex/registered domain of the cookie domain does not match the apex domain of the requested URL, the cookie is ignored and you get the below warning.
This set-cookie was blocked because its Domain attribute was invalid with regards to the current host url
Top Level Domain
public suffixes such as com or co.uk are rejected.
Documentation / Reference
- The definition can be found in the rfc6265 section 5.2.3