Can subdomain.example.com set a cookie that can be read by example.com?

Question

I simply cannot believe this is quite so hard to determine.

Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.

Can anyone clarify what the rules really are?

Answer 1

Yes.

If you make sure to specify that the domain is .example.com, then *.example.com and example.com can access it.

It's that principal that allows websites that issue cookies when somebody goes to www.website.com to access cookies when someone leaves off the www, going to website.com.

EDIT: From the PHP documentation about cookies:

domain The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain. Refer to tail matching in the » spec for details. http://php.net/manual/en/function.setcookie.php

And it's not unique to PHP.