Are some top-level domains (like amazonaws.com) prevented / blocked from being used as cookie domain?

Question

We have a simple service running in EC2. We are testing setting our cookies with domain ".amazonaws.com", but it's not working correctly.

The cookie and domain are being set:

Content-Length:62
Date:Tue, 15 Apr 2014 10:26:55 GMT
Server:Apache-Coyote/1.1
Set-Cookie:test=alfie; Domain=.mycompany.com; Expires=Sun, 27-Apr-2014 00:13:35 GMT; Path=/
Set-Cookie:test2=alfie; Domain=.amazonaws.com; Expires=Sun, 27-Apr-2014 00:13:35 GMT; Path=/

If we request using xxxx.yyyy.mycompany.com, the cookie appears in Resources (Chrome tools) and is resent on the next request.

However, if we request using host xxxx.yyyy.amazonaws.com, the response is the same but the cookie does not appear in Chrome tools and is not resent.

Removing the domain (so that cookie uses fully qualified hostname) works fine in both cases.

Clearly using .amazonaws.com as the domain is a Bad Idea, but it seems strange to me that it doesn't work, as it implies this restriction is being enforced by Chrome somehow (and other browsers - Firefox shows the same behaviour).

Or it is something else basic we are missing?!

Thanks, Alfie.

Answer 1

Yes. Browsers don't let you set cookies for what they consider to be top level domains, for example you can't set a cookie for .com.

There's not a hard and fast rule you can use for determining whether a domain is a top level domain - it's up to the registrar where they allow registrations, so you pretty much just have to create a list.

You can see the list of domains Firefox considers to be top level domains in the Firefox source code. Among other things there are a bunch of amazon related ones.