12

Are sub-domain cookies sent in a parent domain HTTP request?

For instance, say I have the cookies:

Name     Value     Domain (not https)
ABC      1         .example.com
XYZ      0         foo.example.com
DEF      0         bar.example.com

Would XYZ@foo.example.com and DEF@bar.example.com be sent along in the HTTP-header cookies on a reqeust to http://example.com/content, and/or http://QQQ.example.com/content

Incognito
  • 20,537
  • 15
  • 80
  • 120

3 Answers3

25

The leading dot in the domain value .example.com means example.com and its subdomains. Without the leading dot, the cookie is only valid for this specific domain.

Note that when setting a cookie, domain values without a leading dot will be prepended with a dot. Only when the domain parameter is not set the user agent assumes the current domain for that cookie.

So in this case, if http://example.com/ is requested, only the cookie for .example.com will be sent. But in case of http://foo.example.com/, both cookies for .example.com and foo.example.com will be sent. And in case of http://bla.foo.example.com, only the cookie for .example.com will be sent.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • 1
    Unfortunately, this technique is supported [differently](http://www.phpied.com/www-vs-no-www-and-cookies/) by each major browser, so I would not recommend it. – Efran Cobisi Jan 16 '12 at 10:28
  • @EfranCobisi What do you mean by “this technique”? – Gumbo Jan 16 '12 at 10:41
  • I meant removing the leading dot from the cookie domain value as a solution for the original question. This should work in theory, but in practice the technique is limited by the wrong behavior of some browsers (please see my original link). – Efran Cobisi Jan 16 '12 at 11:08
  • 3
    @EfranCobisi Unfortunately, the RFCs for cookies issue different statements for the *domain* attribute. [RFC 2109](http://tools.ietf.org/html/rfc2109): “An explicitly specified domain must always start with a dot.”, “[…] a user agent rejects a cookie (shall not store its information) if […] the value for the Domain attribute […] does not start with a dot.”; in opposite to that, [RFC 6265](http://tools.ietf.org/html/rfc6265) states “[…] that a leading %x2E ("."), if present, is ignored […]”. – Gumbo Jan 16 '12 at 11:29
  • Ah, that explains everything. I suspected it could be related to the RFCs... Thanks for having pointed this one out. – Efran Cobisi Jan 16 '12 at 11:33
  • What constitutes a subdomain? A VHost with a similar domain or using mod_rewrite to map *subdomains* to different directories? – puk Mar 17 '12 at 00:05
  • @puk It depends only on the URL’s host name: `foo.example.com` refers to the subdomain *foo* of *example.com*. – Gumbo Mar 17 '12 at 06:21
  • @Gumbo "Only when the domain parameter is not set the user agent assumes the current domain for that cookie." - So you are saying everytime a cookie is sent on the server-side with no domain specified that a '.' will automatically get prefixed? Also, is this the behaviour for all user-agents? – Rich Nov 09 '18 at 05:01
6

No. It's the other way around: parent-domain cookies are sent in sub-domain HTTP requests.

bobince
  • 528,062
  • 107
  • 651
  • 834
  • Is there a way to prevent parent-domain cookies from being sent in sub-domain HTTP requests? – Prachi Sep 06 '17 at 18:27
  • 1
    @Prachi: not cross-browser, no. In principle if you don't set `domain` at all they shouldn't inherit into subdomains. But IE doesn't respect that. – bobince Sep 08 '17 at 23:19
-1

The cookies of a subdomain only get sent if they were set with a domain with a leading dot on the level above it. So if www.example.com sets a cookie with domain ".example.com" then it gets sent, otherwise not.

The other way around is more confusing, the cookie set in the top level domain should only get sent to subdomains if it has the leading dot but if you are using internet explorer it will also send it if it got sent without the leading dot (ref).

Jan M
  • 2,205
  • 21
  • 14