3

Let's assume I'm on sub.example.org, how can I get the cookies of .example.org from there? If that's not possible, is there a workaround like an hack or whatever that redirects to .example.org and then stores the cookies?

WayneXMayersX
  • 338
  • 2
  • 10

2 Answers2

11

A web page only has visibility to the cookie with the most specific domain that matches its URL.

So if both example.org and sub.example.org both have a cookie named mycookie, a web page in sub.example.org can only access the one in the subdomain. It hides the cookie in the example.org domain, and there's no way to access it.

But if there's only a cookie in example.org, it will be visible to both example.org and sub.example.org pages.

When creating a cookie, it defaults to the full domain of the page, but the code can specify a less specific domain. So if sub.example.org creates a cookie, it will default to domain=sub.example.org. But the code can override this by putting domain=.example.org in the cookie explicitly.

More details can be found in The Definitive Guide to Cookie Domains.

Barmar
  • 741,623
  • 53
  • 500
  • 612
3

The cookie was set as HttpOnly flag, and the browser made me not able to get the cookie for JavaScript.

WayneXMayersX
  • 338
  • 2
  • 10
  • 1
    That has nothing to do with being in a subdomain. Javascript from the main domain shouldn't be able to access it, either. – Barmar Aug 16 '17 at 19:43
  • As much as I agree with @Barmar's comment, `HttpOnly` is pretty much the only thing that can prevent reading the cookie in OP's situation (except if you have 2 identical cookies set in both domains, like in Barmar's answer). – Didier L Aug 25 '20 at 10:27
  • @DidierL I wasn't contradicting that, just pointing out that the restriction is not specific to subdomains. – Barmar Aug 25 '20 at 14:31
  • 1
    This is an answer to a different question -- the question never says that this flag is set. – Barmar Aug 25 '20 at 14:32