I'm baffled over a recent problem I'm having with use of a partial domain name cookies. I'm using partial domain cookies in my app to manage a single sign-on scenario. Everything was working fine until I happened to try it with the Google App Engine domain appspot.com
.
Try as I may, I could not get the browser to accept appspot.com
as a partial domain cookie. Here is the HTTP response header I am sending:
foo=bar;Path=/;Domain=.appspot.com
If my app is at http://my.appspot.com
the browser ignores the set cookie. I can do this with other domains (e.g. google.com
) and all is well (I am using my hosts file to direct the browser to my mac). It fails when I run it locally, on App Engine, or anywhere else.
I can't think of any reason this domain name would be special. Does anyone have any ideas?
The domain appspot.com offers developers an infrastructure to build, deploy, and scale applications, websites, and services. But this infrastructure is abused to host phishing websites and riskware.
As you may know, cookie can't be set in a different domain from another domain directly. If you're having multiple sites in where you need to set a cookie from a parent site, you can use basic HTML and JS to set the cookies. Google is using this same way.
As we know that cookie set by one domain cannot be accessed by the another domain. But cookie set to main domain can be accessed by subdomains. Example: Cookie set to domain “maindomain.com” can be accessed by any sub domain of main domain, that is subdomain.maindomain.com, anysub.maindomain.com.
If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain. If a cookie's domain attribute is set, the cookie is applicable to that domain and all its subdomains; the cookie's domain must be the same as, or a parent of, the origin domain.
I believe this might answer your question.
To quote:
I tested. It is not possible for a page of child domain to create a cookie for parent domain. Hence this issue dont exist.
Further clarification that might help; according to this Google Groups thread:
It appears that I cannot set a cookie with domain=.appspot.com
When I do that, it doesn't show up in the list of cookies. I can set a cookie in a sub-domain of .appspot.com (domain=foo.appspot.com) but not on appspot.com itself.
And Jon McAlister's reply:
It's because appspot.com was added to the public suffix list of domains that modern browsers should not allow cookies to be set for: see here
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With