0

As per my understanding cookies(like jsessionID) are sent to server from browser if all of the below parameters are same

Parameters are protocol, domain name(or ipaddress + port number), application context

For example :- If I send the request tohttp://localhost:8080/testApp/ and has some cookies associated with this

Now if hit the request to any of the below url, above set of cookies won't be sent

https://localhost:8080/testApp/ (protocol changed)

http://localhost:9001/testApp/ (port changed)

http://localhost:8080/testApp1/ (application context changed)

Is my understanding correct ?

UPDATE :- wiki says the domain is derived from the request domain if domain is not specified. I believe same is true for path/application context. It means if path and domain attribute are empty , cookies will be specific to requested url but does not depend on protocol(http or https). Is that correct now ?

emilly
  • 10,060
  • 33
  • 97
  • 172
  • No, it's not. Read https://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes, http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific – JB Nizet Dec 19 '15 at 15:12
  • @JBNizet from link https://en.wikipedia.org/wiki/HTTP_cookie#Cookie_attributes says`the domain is derived from the request domain` if domain is not specified. I believe same is true for path/application context. It means if path and domain attribute are empty , cookies will be specific to requested url but does not depend on protocol(http or https). Is that correct now ? – emilly Dec 19 '15 at 15:44
  • @JBNizet Can you please confirm on updated post ? – emilly Dec 19 '15 at 17:40
  • I don't know. Read the RFC, or just test it and see. Click on a link pointing to a different path/protocol, open the browser dev tools, and inspect the request being sent, to see if it contains the cookie. – JB Nizet Dec 19 '15 at 18:08
  • Thanks I will do that. Actually I got bit confused when you said ` No, it's not ..` But the link you pointed out and my findings from browser dev tools, same cookies will not be sent if path(app context) or domain is different . Yes I need to try it out for https. – emilly Dec 19 '15 at 18:18
  • Your question asks if your understanding is correct. You think that changing the port causes the cookie not to be sent. And that's not correct. You think that changing the protocol causes the cookie not to be sent. And that's not correct. So, your understanding was not correct, was it? – JB Nizet Dec 19 '15 at 18:23
  • my understanding is from browser dev tools. If I changed the port number cookies were not sent. To confirm it wiki link says cookies are sent based on the domain and path. If cookies does not have domain name then `the domain is derived from the request domain`. So if port name changes then requested domain changes. Right ? May be I am wrong here. I believe here domain constitutes localhost:8080 – emilly Dec 19 '15 at 18:40

0 Answers0