1

I have been reading through How do browser cookie domains work? and the RFC at and it answered many of my questions about cookies. Not all of them though (though I'm sure the answer is in the RFC, I haven't been able to properly parse it). I have some more questions, which I will pose in the same format as the above question.

  • should a cookie for www.example.com be available to www.example.com/path?
  • should a cookie for example.com/path be available for www.example.com?
  • should www.example.com be able to set a cookie for www.example.com/path?
  • should a cookie for www.example.com/path be available to www.example.com?
  • should www.example.com/path be able to set a cookie for www.example.com?
  • if a cookie is set for www.example.com containing foo=bar, and after that a cookie is set for example.com containing foo=baz should example.com be sent the former, or the latter or both?
  • if a cookie is set for www.example.com containing foo=bar that expires in a day, then a cookie containing foo=baz is set that will expire in 15 minutes, should after the latter cookie expires the former cookie be sent?

EDIT One more:

  • if a cookie is set for www.example.com containing foo=bar, and after that a cookie is set for example.com containing foo=baz what cookie should www.example.com be sent?

Also fixed second case

Community
  • 1
  • 1
Martijn
  • 11,964
  • 12
  • 50
  • 96

1 Answers1

6
  • should a cookie for www.example.com be available to www.example.com/path?

Yes

  • should a cookie for example.com/path be available for www.example.com?

No

  • should www.example.com be able to set a cookie for www.example.com/path?

(Yes) Most likely (Cookie Path is not a security feature)

  • should a cookie for www.example.com/path be available to www.example.com?

(No) The cookie will not be sent to www.example.com, but www.example.com can contain javascript that can fetch the cookie through an iframe. Again, cookie path is not a security feature.

  • should www.example.com/path be able to set a cookie for www.example.com?

Yes

  • if a cookie is set for www.example.com containing foo=bar, and after that a cookie is set for example.com containing foo=baz should example.com be sent the former, or the latter or both?

Latter, because example.com does not have access to www.example.com's cookies.

  • if a cookie is set for www.example.com containing foo=bar that expires in a day, then a cookie containing foo=baz is set that will expire in 15 minutes, should after the latter cookie expires the former cookie be sent?

No, because the second cookie will overwrite the first.

  • if a cookie is set for www.example.com containing foo=bar, and after that a cookie is set for example.com containing foo=baz what cookie should www.example.com be sent?

Unspecified behaviour. Either or both (concatenated) seems to be valid.

How to handle multiple cookies with the same name

Edit: Added answer to new question, corrected question 2 and changed answer.

Community
  • 1
  • 1
Jo Are By
  • 3,293
  • 1
  • 11
  • 11
  • Thank you for the initial clarification. The question comes from a need to implement the client side of cookies manually, so what browsers can do with iFrames is not really relevant to me, just what cookies I should accept, and what cookies I should offer to the server. Should I read 3: yes, 4: no. 7:no, overwrite regardless of expiration Still open for 6 (not in original question, will edit): which cookie should www.example.com be sent? – Martijn Aug 28 '13 at 08:37
  • Regarding your last question: This behaviour is unspecified. You can return either or both (concatenated). http://stackoverflow.com/questions/4056306/how-to-handle-multiple-cookies-with-the-same-name http://www.sitepoint.com/3-things-about-cookies-you-may-not-know/ – Jo Are By Aug 28 '13 at 12:35