A cookie without a domain?

Question

Is it possible to set a cookie without a domain?

This will mean all domains will have access to it.

What underlying problem are you trying to solve? – Michael Petrotta Feb 03 '12 at 18:47 — Michael Petrotta, Feb 03 '12 at 18:47

score 17 · Accepted Answer · edited Apr 29 '18 at 22:59

17

No, that is not possible. If a cookie doesn't declare a domain, the browser will assume the domain of the object requested.

What you're asking for is generally considered a security, or at least privacy, risk. It's possible to configure browsers to allow access to cookies from other than the domain that they were created, but browsers aren't commonly configured that way.

edited Apr 29 '18 at 22:59

Ry-

218,210
55
464
476

answered Feb 03 '12 at 18:47

Michael Petrotta

59,888
27
145
179

Thanks for your answer. Follow up question, is possible to set cookie on domain but specify that another domain has access to it? – jamjam Feb 03 '12 at 18:51
@jamjam, no, it isn't. The normal way of dealing with this restriction is to place all applications that need access to the same cookie in the same domain. – Michael Petrotta Feb 03 '12 at 18:54
not all browsers will assume domain if a cookie doesn't declare a domain. – Joe R. Aug 01 '12 at 00:47
[see here](http://stackoverflow.com/questions/1019876/cookie-on-an-intranet-domain).. FireFox 13 can also control whether domain is assumed when cookie doesn't declare one. – Joe R. Aug 01 '12 at 03:32
I don't see where the question you reference makes that point, @Frank. I'd be interested in a reference for the Firefox 13 setting. – Michael Petrotta Aug 01 '12 at 03:35
[RFC2109](http://www.ietf.org/rfc/rfc2109.txt)The host or domain for which the cookie is set. presence of a leading dot indicates a domain cookie; otherwise, the cookie is treated as a non-domain cookie. See RFC2109 for details. The host string will be normalized to ASCII or ACE; any trailing dot will be stripped. To be a domain cookie, the host must have at least two subdomain parts (e.g. '.foo.com', not '.com'), otherwise an exception will be thrown. An empty string is acceptable (e.g. file:// URI's). – Joe R. Aug 01 '12 at 03:55
Yes, that *is* a quote from RFC2109, @Frank, and that RFC is discussed in the article I link to. How does that quote support your point? – Michael Petrotta Aug 01 '12 at 03:58
Plenty of homebrew scripts [here](http://userscripts.org/scripts/search?q=cookies&submit=) that can override the default. You can use a fireFox add-on called [Greasemonkey](https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/) to run them! – Joe R. Aug 01 '12 at 04:28

score 5 · Answer 2 · answered May 13 '13 at 09:20

5

RFC 2109 tells this parameter is optional. But depending on the browser, behavior may be different.

answered May 13 '13 at 09:20

user1720236

61
1
1

A cookie without a domain?

2 Answers2