8

I have manually created two cookies using firebug:

Cookie1=value1; expires=Sat, 29 Mar 2014 06:21:54 GMT; path=/Ex05Cookie; domain=localhost; HttpOnly
Cookie2=value2; expires=Sat, 29 Mar 2014 06:21:54 GMT; path=/Ex05Cookie; domain=localhost:8080; HttpOnly

The only difference is the domain attribute, one is localhost while the other has a port number.

This is the HTTP header when I try to request http://localhost:8080/Ex05Cookie/:

GET /Ex05Cookie/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Cookie1=value1
Connection: keep-alive
Cache-Control: max-age=0

where the header only contains Cookie1 whose domain is localhost.

Why my firefox don't send Cookie2 instead of Cookie1?

Yishu Fang
  • 9,448
  • 21
  • 65
  • 102
  • I guess it's the "same-domain" issue with the HTTP mechanics, where the browser won't distinguish different paths and/or ports to use different cookies within the same domain. –  Apr 29 '13 at 05:57
  • but this may cause problems, because different servers run on different ports, and cookies created by httpd server (80 port) should not be send to Tomcat (8080 port). – Yishu Fang Apr 29 '13 at 06:00
  • Very true; I'm also interested in who would know a workaround for this. –  Apr 29 '13 at 06:01
  • IDK if it will help very much but this blog post has some information about cookies and their domain attributes and how browsers handle them: https://github.com/blog/1466-yummy-cookies-across-domains –  Apr 29 '13 at 06:35
  • 4
    Here's a good discussion about the question [Are HTTP cookies port specific?](http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific). Actually there're 2 aspects: 1) from browser to orgin server and 2) from origin server to browser. Both are well explained in [RFC6265](http://tools.ietf.org/html/rfc6265) – shawnzhu Jul 08 '13 at 00:43
  • Assuming this is for testing, an easy work around is to modify your hosts file with an alias for localhost. http://helpdeskgeek.com/windows-7/windows-7-hosts-file/ Or use fiddler to redirect requests to host XXX to localhost:xx http://docs.telerik.com/fiddler/knowledgebase/fiddlerscript/modifyrequestorresponse – eSniff Feb 14 '14 at 22:25
  • This is answered on SO here: http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific – Rob H May 09 '14 at 19:57

2 Answers2

5

This is answered by https://stackoverflow.com/a/4212964/14731 and by the author of RFC 6265:

If we were designing cookies today, we'd definitely make it per-port. However, cookies are widely used on the Internet today and making this sort of change would break too many sites. For the most part, cookies are "done" in the sense that I wouldn't expect them to change much. Unfortunately, that means we stuck with cookies not respecting port number.

Source: https://groups.google.com/d/msg/comp.infosystems.www.misc/6WXdQ2RFhG8/VvOUuR3FNAUJ

Community
  • 1
  • 1
Gili
  • 86,244
  • 97
  • 390
  • 689
0

the cookie port is not supposed to be set on the domain (as in the wrong "domain=foobar.com:8443") but as a separate cookie 'port' param (as in "domain=foobar.com; port=8443")

user4707493
  • 1