Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

It's possible to share a cookie between 'some' subdomains?

Tags:

http

cookies

I've been reading some posts about web performance, one of the points is to
serve static content from a cookie-free domain, my question is:

Can I share cookies between, let's say example.com and www.example.com, while excluding static1.example.com, static2.example.com, etc?

Or do I need to set a different top level domain?

I know (or I think) that I could set the domain of the cookie to '.example.com', but
correct me if I'm wrong this shares the cookies across all sub-domains.

like image 615
Cesar Avatar asked Jul 16 '09 06:07

Cesar


People also ask

Can cookies be shared across sub domains?

To share cookies across subdomains, you can simply create cookies with the domain directive set to the parent domain, in this case, example.com, rather than either of the specific subdomains.

Are cookies domain specific?

If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain. If a cookie's domain attribute is set, the cookie is applicable to that domain and all its subdomains; the cookie's domain must be the same as, or a parent of, the origin domain.

Is a subdomain a third party cookie?

Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.

Can local storage be shared between subdomains?

Way to Solution That's because localstorage doesn't support sharing the storage across subdomains or even domain. Thus, if you have something stored at a.example.com it won't be accessible from example.com or b.example.com.


3 Answers

If you need to share cookies across subdomains you need to scope the cookie at the domain level (e.g. .example.com). When you do that the cookie is available to all the subdomains of .example.com.

For a cookie free static content domain, it is usually a separate domain (e.g. example_staticstuff.com). There is a default two connection limit per domain in HTTP 1.1, so having separate domains often helps speed up simultaneous downloads.

like image 117
jnoss Avatar answered Oct 13 '22 12:10

jnoss


Your assumptions are correct :-)

like image 41
Philippe Leybaert Avatar answered Oct 13 '22 12:10

Philippe Leybaert


You would have to set a cookie for each sub-domain you want to authorize with the full host-name. This creates additional HTTP header overhead and would be a maintenance nightmare :[

like image 25
Nolte Avatar answered Oct 13 '22 14:10

Nolte