cookie dupes to domain without dot prefix

Question

I have this weird issue I cannot figure out, so I was hoping someone smarter than me could help!

I have a site https://example.com (no subdomain)

I have some code that sets a cookie, e.g.

var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";

This code runs during page load in some script tag. When the page is first loaded, I see my cookie set, and in (chrome) dev tools > Application > Domain column, I see that it is set on .example.com with a leading dot, which is fine.

But then I refresh the page, and my code runs again (and there is a new value being pushed to the cookie; dunno if that matters). I look in the Application tab and I now see a "duplicate" entry for myCookie - one on .example.com and another on example.com (no leading dot). The values are the same. This is weird to me and I do not know why this is happening. Does anybody have any possible reasons for why this can happen?

Further down this rabbit hole.. I refresh the page again and the myCookie value on .example.com updates, but the one on example.com does not. More weirdness!

Meanwhile, I have other code that tries to read the cookie, but apparently the myCookie cookie on example.com takes precedence and I get that value, not the latest value (reflected in the .example.com cookie).

I have tried explicitly setting the cookie on .example.com (domain=.example.com) but the described behavior above still happens. Also, near as I can tell, there is no way for me in javascript to explicitly reference the cookie on .example.com - document.cookie just shows the example.com one (but the dev tools Applications tab does show it? So is this exposed in javascript?)

I can't provide a link to the site, but I can try to answer any questions someone might have to clarify.

But my main question is: can anybody explain possible reasons this might happen, or at least offer something that might point me in the right direction? Or failing that, alternatively some workaround to explicitly read from .example.com?

Edit

At this point, my best guess is something else on the site, likely server-side script, is duping the cookies over from .example.com to example.com but only if the values change. But this is pure speculation. I haven't been able to find any client-side proof of this (yet..) and I don't actually have access to server-side stuff. And this is probably grasping at straws anyways. But it's my best working theory ATM to take back to the site devs to ask them about..

Update - New stuff I have found / Clarifications

To be clear/restate: my site is on https://example.com with no submdomain.

This seems to only happen for my cookies where the value changes each page load. Cookies whose values do not change do not seem to get pushed from .example.com to example.com.

Even for the cookies with dynamic values, it only seems to dupe .example.com to example.com the first time. After that, the example.com cookie value does not change on subsequent page loads, even though the .example.com version gets a new dynamic value.

I have created a test script, separate from the cookies I currently observe this behavior, in an effort to divide and conquer. I thought to rule out any shenanigans with the code that sets/reads the cookies and blackbox this as much as possible.

But I am seeing the same behavior. I still suspect this is some kind of server wtfery going on, like the .example.com cookies are getting sent in the next http request and then the server is writing them back to example.com.. only on the first time? That's the double plot-twist. I don't have access to server-side stuff but I don't even know where to begin with what to holler at the site devs to look at.

Also note that so far between my colleagues and I, we tested the both the javascript lib/code that sets the problem cookies, as well as the blackbox script below on 6 other sites (not even owned/affiliated with this problem site at all) and have not been able to reproduce the issue, which further makes us suspect it is some kind of server config issue (but again, we don't really know where to start with that).

Anyways, in case it somehow helps anybody, below is the script I wrote to (further) test this issue. I am testing with a total of 8 cookies:

1. test_no_dot_static - I set domain=example.com with a static value
2. test_no_dot_dynamic - I set domain=example.comwith a dynamic value
3. test_dot_static - I set domain=.example.com with a static value
4. test_dot_dynamic - I set domain=.example.com with a dynamic value
5. test_implicit_no_domain_static - I set a cookie with static value with no domain= specified
6. test_implicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified
7. test_explicit_no_domain_static - I set a cookie with static value with domain= specified with no value
8. test_explicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified with no value

#1, #3 - These initially get set on .example.com and do not get duped to example.com on page refresh

#2, #4 - These initially get set on .example.com. On first page refresh, the original value is duped to example.com cookie/domain. On 2nd+ page refresh, the example.com cookie values do not change (retain original value), and the .example.com versions get new values each page load.

#5, #7 - These initially get set on example.com (not .example.com) and are there is never a version on .example.com.

#6, #8 - These initially get set on example.com (not .example.com) and their values update each page load, and there is never a version on .example.com .

Test Code

var s_testCookies = {
    getCookieValue: function(a) {
        var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
        return b ? unescape(b.pop()) : '';
    },
    getRandomValue: function() {
        return '' + (new Date()).getTime() + '|' + Math.floor(Math.random() * 100000);
    },
    run: function(data) {
        var data = data || {};
        console.log('------------------------');
        console.log('Arg: ', JSON.parse(JSON.stringify(data)));
        data.previousValue = s_testCookies.getCookieValue(data.name);
        console.log('Previous: ', JSON.parse(JSON.stringify(data)));
        data.cookie = data.name + "=" + escape(data.value) + "; path=/;";
        data.cookie+= (typeof data.domain!='undefined') && (" domain="+data.domain+";") || "";
        document.cookie = data.cookie;
        data.newValue = s_testCookies.getCookieValue(data.name);
        console.log('New: ', JSON.parse(JSON.stringify(data)));
        console.log('------------------------');
    }
} // end testCookies

s_testCookies.run({
    'message': 'no dot static value',
    'domain': 'example.com',
    'name': 'test_no_dot_static',
    'value': 'no dot static value'
});
s_testCookies.run({
    'message': 'no dot dynamic value',
    'domain': 'example.com',
    'name': 'test_no_dot_dynamic',
    'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
    'message': 'dot static value',
    'domain': '.example.com',
    'name': 'test_dot_static',
    'value': 'dot static value'
});
s_testCookies.run({
    'message': 'dot dynamic value',
    'domain': '.example.com',
    'name': 'test_dot_dynamic',
    'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
    'message': 'implicit no domain static value',
    'name': 'test_implicit_no_domain_static',
    'value': 'implicit no domain static value'
});
s_testCookies.run({
    'message': 'implicit no domain dynamic value',
    'name': 'test_implicit_no_domain_dynamic',
    'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
    'message': 'explicit no domain static value',
    'domain':'',
    'name': 'test_explicit_no_domain_static',
    'value': 'explicit no domain static value'
});
s_testCookies.run({
    'message': 'explicit no domain dynamic value',
    'domain':'',
    'name': 'test_explicit_no_domain_dynamic',
    'value': s_testCookies.getRandomValue()
});

Another Update based on comments / answers provided

To be clear, in practice, the issue is that we have some cookies that we set with values on a page load. Then when the page is refreshed (or another page is navigated to on the site), we read the value, do something with it, generate a new value and set the cookies again. Wash rinse repeat each page (re)load.

The issue is on initial page view, those cookies are set on .example.com domain. Then on next page load, the initial cookie/value gets duped to exampe.com, and also the cookie on .example.com gets an updated value. Then on another page load, the previous .example.com value does not get duped/pushed to example.com version of the cookie; only the .example.com version updates. So it only gets duped/pushed to example.com on the 2nd page load. Not 3rd+.

Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com

Meanwhile, we cannot simply not specify a domain= value (#6 or #8 above), because there are in fact subdomains in play e.g. mobile.example.com that also have the code that reads/updates/writes those cookies, and if we do not specify a domain, then the cookie is only available on exactly example.com and cannot be read on mobile.example.com.

Udpate

@ffeast asked the following questions:

What does curl -I yourdomain return? Are there any Set-Cookie headers?

Here you go!

user@host:~$ curl -I https://example.com
HTTP/1.1 200 OK
X-Powered-By: Express
set-cookie: site#lang=en; Path=/;Secure
set-cookie: connect.sid=s%3As46fwOPaosGdwis0G_Wdv7gzUs75Q0rr.O1gLsLmrHmmdBXxPWJrIq8UWwOOaQf96qxUlW%2FxnEuM; Path=/; HttpOnly;Secure
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html; charset=utf-8
Content-Length: 19632
ETag: W/"4cb0-bgHMEy79PzLMv7jhB1Lh6A"
Vary: Accept-Encoding
Date: Fri, 16 Mar 2018 20:42:19 GMT
Connection: keep-alive
Set-Cookie: SecureCookie=!zPdIdxiz3mOMe2MYzy1p873u0yWtMdduASsHoU06gkaLs306mhR7cb3ir4TA2EG2cQGKmeVWJeYvxA/flQfPQUixqL8WMOfROsTgu3UZZg==; path=/; Httponly; Secure

I also see the same Response Headers from browser tab.

So there are some set-cookie headers in the initial http response, yes. They are not cookies I personally have anything to do with or know about for my scope of things, but I can ask what they are for, if that somehow helps. Example:

I notice that a domain= value is not explicitly set for them.. is it possible this somehow sets a precedent for the browser, or am I barking up the wrong tree? Even if it did though, I don't think that explains the dupe to example.com only to my cookies that change their values, nor it only happening on 2nd page load (not 3rd+)? Not sure where you're going with this, but I'm all ears!

Answer 1

If your goal is to use a cookie sharing between all sub-domains, allowing everyone to access and set the cookie, then you need to specify the root domain whenever you set the cookie.

Suppose you have sub.example.com, sub2.example.com and example.com, and you want to share the cookie between them then set the domain to example.com. When you don't specify a domain the cookie is only property of example.com or sub.example.com, but when you specify domain to be example.com, then it becomes accessible to example.com and all it's subdomains to read and write to.

domain=domain (e.g., 'example.com' or 'subdomain.example.com').
If not specified, defaults to the host portion of the current document location (but not including subdomains). Contrary to earlier specifications, leading dots in domain names are ignored, but browsers may decline to set the cookie containing such dot . If a domain is specified, subdomains are always included.
[source: developer.mozilla.org]

In example.com:

var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";

In sub.example.com: (same as above)

var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";

In both cases you have to set it to example.com. Otherwise the following situations may arise

• In example.com if you forget to set example.com at a single place, a new cookie will be created only for example.com that will be different from the shared one and will not sync with it creating lots of confusion.
• In sub.example.com if you forget to set example.com at a single place, a new cookie will be created only for sub.example.com that will be different from the shared one and will not sync with it creating lots of confusion.
• You should not set cookie to .example.com as it is not appreciated according to the above quote.

Possible causes of cookie duplication:

1. When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com, when the second request is made browser sends the cookie to the server, some code on server-side receiving the new cookie sets it back on example.com. This can only be verified inspecting the response headers of the second request.
2. When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com. When the page loads for the seconds time any JavaScript code is by mistake setting it without specifying domain=example.com that sets the cookie for example.com. This can only be verified inspecting the JavaScript codes involved in setting cookies.

I believe accidental creation of domain/sub-domain specific cookies are the cause of all the anomalies you described. Reviewing every section of code where cookies are being set may solve the issue.

UPDATE: What is really happening here.

You are using InvocaJS v3.6.6 and AngularJS v1.2.19, both of them having cookie management features. InvocaJS stores data in cookie as invoca_session and specifies domain example.com, so the cookie is set for .example.com. There is no problem when AngularJS sees the cookie for the first time, it remembers it. AngularJS keeps a copy of all the cookies and when you update any cookie by AngularJS, you actually modify the copy. Afterward AngularJS loops through all the cookies, compares it with copy to determine and update which cookies have been updated by AngularJS.

InvocaJS the repeatedly changes the value of invoca_session. When AngularJS loops though all the cookies and invoca_session does not match with the value AngularJS has, it thinks the value has been changed by AngularJS (as described above) and it updates the value of invoca_session replacing the new value with old one. (I tested it, this is exactly how AngularJS v1.2.19 worked)

The problem is Angular v1.2.19 does not specify any domain while setting cookies (predicted earlier as bug probability #2). So a new cookie is created with domain set to example.com. Afterwards when InvocaJS tries to read the cookie it reads the old cookie set for example.com.

AngularJS altering cookie

Answer 2

According to w3schools.com documention, you may use a function to built, get and check your cookie.

You may take a look on How do browser cookie domains work, also here and here to better understand how browser and javascript handle cookie setup.

---

As you said in your question that error is visible also Firefox, it may be useful to note that:

Contrary to earlier specifications, leading dots in domain names are ignored, but browsers may decline to set the cookie containing such dot . If a domain is specified, subdomains are always included.

---

As you said :

Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com

You may double check if some data are loaded from a sub-domain xxx.example.com on the first load and future page load.

Verify that if some data are cached during future reload.

You may finally double check the presence of the following headers in requests:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0

which avoid caching issue.