38

Suppose I have a site at www.example.com which has an IFRAME pointing to ASP.NET site myapp.othersite.com - this causes issues with session and 3rd-party cookies which I understand.

If I moved the embedded app to myapp.example.com, would the session cookie still count as a 3rd-party cookie as it is a different subdomain?

durron597
  • 31,968
  • 17
  • 99
  • 158
RossJ
  • 555
  • 1
  • 4
  • 9

3 Answers3

30

Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk), but not if they come from different subdomains of the same base domain.

myapp.example.com will be able to set cookies with domain myapp.example.com if it is embedded within www.example.com.

Having myapp.example.com set cookies with domain .example.com is unnecessary unless those cookies need to be read from a different subdomain.

[Tested in Firefox, Chrome (with 3rd party cookies blocked) and Safari] [ThirdPartyUtil.IsThirdPartyInternal seems to be where this is checked in Firefox]

Bewusstsein
  • 1,591
  • 13
  • 19
  • 2
    This is correct for modern browser. Took me a while to figure out why my oauth login is not working in development mode – wirtsi Feb 26 '21 at 13:33
  • Could you explain exactly how "base domain" is determined in this case? For instance, `.com` and `.uk` are both TLDs, `example.com` and `co.uk` are second-level domains, `foo.example.com` `foo.co.uk` are both third level domains. What decides that `example.com` and `foo.co.uk` are base domains when one is second level and one is third? – Andy Oct 21 '22 at 10:48
  • 2
    If anyone else is confused about what constitutes as "base domain", the correct terminology for this is "eTLD", and the definition of a first party cookie is if the "eTLD+1"s are the same - e.g. see https://web.dev/same-site-same-origin. Specifically you can't tell just by counting the number of dots whether 2 domains are in the same base domain; you have to look it up in a published list of eTLDs – Andy Nov 30 '22 at 16:06
  • Just to be clear: If my backend is at **api.website.com** and it serves login session http-only cookies to my frontend at **website.com** , would my cookies be considered as third-party when users login at **website.com**. Thank you for answering my question! – KJ Ang Jan 12 '23 at 04:20
17

if you set a Cookie on domain .example.com

then a cookie from www.example.com and www.myapp.example.com will be considered the same.

no cookie is treated as a 3rd party cookie.

0x6A75616E
  • 4,696
  • 2
  • 33
  • 57
Yogesh Prajapati
  • 4,770
  • 2
  • 36
  • 77
  • Not sure what domain ASP.NET will use by default for session, but looking at [this question](http://stackoverflow.com/questions/2326521/asp-net-session-cookies-specifying-the-base-domain) it looks like it will be example.com - I'll test and report back – RossJ Apr 11 '12 at 08:19
  • 1
    Seems to have worked, so ASP.NET session cookies on different subdomains still count as first party. – RossJ Apr 11 '12 at 15:24
  • A cookie set on a website that is loaded in an iframe of a different website is considered to be a third party cookie to the parent website. – Matty J Mar 14 '14 at 02:02
  • This shouldn't be the accepted answer because the question is about third-party cookies and this answer solves the problem by making cookies on different subdomains first-party via the domain attribute and therefore doesn't address the original question. To answer the OP: No. Because third-party cookies set from different subdomains are always allowed even when third-party cookies are explicitly blocked in the browser settings. Tested on Firefox, Edge, and Chrome. – PHP Guru Aug 19 '20 at 18:29
6

Assuming that the domain attribute is not set on the cookie in question, in this scenario it is indeed a third-party cookie due to the hostnames being different. However browsers who would ordinarily block third-party cookies will not block it due to the base domains being the same. So in that respect it is not treated as a third-party cookie.

I know this because I was able to successfully set and read a third party cookie when the base domain was the same and the subdomain was different while third party cookies were blocked in the latest versions of Firefox, Chrome, and Microsoft Edge's browser settings. This was true even when no domain attribute was set on the cookie. This means that Firefox, Chrome, and Microsoft Edge do not consider cookies from the same base domain to be third party cookies.

My methodology was as follows. I have two different hostnames with the same base domain but different subdomains. One of them contains two PHP files. The first sets a cookie with a random cookie name and no domain attribute and returns the name of the cookie as JSONP. The second attempts to read the cookie and then returns either true or false as JSONP. The other hostname contains an HTML file that uses AJAX to query the first PHP file that sets the cookie, and then when done, immediately uses AJAX again to query the second PHP file that tests for the existence of the cookie. I first made sure that third party cookies were being blocked by the browser before moving forward. I tested three browsers: Firefox, Chrome and Microsoft Edge. In all cases the results showed that the cookie was successfully set and read even though the cookie was from a different domain as long as the base domains were the same.

Conclusion: if a resource sets a cookie and the base domain on the resource is the same as the base domain on the web site, but the subdomain is different, popular browsers do not treat it as a third-party cookie.

PHP Guru
  • 1,301
  • 11
  • 20
  • 2
    This appears to apply to the new SameSite flag, too. I tested setting a cookie to Strict, and it was still included in requests to another subdomain on the same base domain. – Doug McClean Mar 03 '20 at 02:31