Cookie on an intranet domain

Question

I have a dev server in our office that is behind the firewall. The hostname is franklin. We name all our servers after scientists or inventors.

When I set an HTTP cookie:

 Set-Cookie: user=kenny; expires=1245424860.11; Path=/; domain=franklin

The cookie doesn't set. I have tried the following with no luck.

.franklin
.franklin.local
franklin.local
.franklin.localdomain
franklin.localdomain

Do I have to set the hostname to something different or can I set this cookie through some magic I don't know already?

Answer 1

RFC 2109 says:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

• The value for the Domain attribute contains no embedded dots or does not start with a dot.
• The value for the request-host does not domain-match the Domain attribute.

And also:

Domain Defaults to the request-host.

If your host is franklin:

• Cookies with domain=.franklin will be rejected, because it has no embedded dot.
• Cookies with domain=.franklin.local will be rejected, because it does not match the actual host name of your server.

The solution is to rename your hostname to franklin.local or franklin.<tld> and set the domain attribute of the cookie accordingly (domain=.franklin.<tld>). Alternatively (as you found out), do not specify the domain, and let the user agent fallback to the request host.