Menu
I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:
A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:
Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.
How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.
909
Please everyone note that you can set a cookie from a subdomain on a domain. But you CAN'T set a cookie from a domain on a subdomain.
cookie = cookieName +"=" + cookieValue + ";domain=. example.com;path=/;expires=" + myDate; As per the RFC 2109, to have a cookie available to all subdomains, you must put a . in front of your domain.
Seems to have worked, so ASP.NET session cookies on different subdomains still count as first party. A cookie set on a website that is loaded in an iframe of a different website is considered to be a third party cookie to the parent website.
To summarize, rules to follow regarding cookie domain: The origin domain of a cookie is the domain of the originating request. If the origin domain is an IP, the cookie's domain attribute must not be set. If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.
No. Besides that (see update below) the cookie would get rejected:fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com)
To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:
- The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.
The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.
Update The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:
[…] if the value of the Domain attribute is "
example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)[…] the user agent will accept a cookie with a Domain attribute of "
example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
