I simply cannot believe this is quite so hard to determine.
Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.
subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.
Can anyone clarify what the rules really are?
-
The simple answer is if you want a cookie to work across the domain and its subdomains use ".domain.com" otherwise use "sub.domain.com" or "domain.com"
The part that probably threw you were the dots placed after "com"
From qsheets -
It should not be possible. However, as you said, since this isn't a widely documented standard, it depends on what piece of software you're using.
Most modern browsers adhere to a defined "web security model". The model effectively governs the behavior of browsers with regards to security, on things like cookies (specifically how they will be sent back to any given website). The model also has the rule that "browsers don't send cookies to domain names that didn't set them."
That being said, domain.com should be able to set cookies for js.domain.com. js.domain.com, however, can only set cookies for itself. But this is all depending on what browser you're using.
From Tony -
Quoting from the same RFC2109 you read:
* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted.So
subdomain.example.comcan set a cookie for.example.com. So far so good.The following rules apply to choosing applicable cookie-values from among all the cookies the user agent has. Domain Selection The origin server's fully-qualified host name must domain-match the Domain attribute of the cookieSo do we have a domain-match?
* A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.)But now
example.comwouldn't domain-match.example.comaccording to the definition. Butwww.example.com(or any other "non-empty name" in the domain) would. This RFC is in theory obsoleted by RFC2965, which dictated things about forcing a leading dot for domains onSet-Cookie2operations.More important, as noted by @Tony, is the real world. For a glimpse into what actual user agents are doing, see
Firefox 3's nsCookieService.cpp
http://mxr.mozilla.org/firefox/source/netwerk/cookie/src/nsCookieService.cpp
and
http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cookie_monster.cc
For perspective into what actual sites are doing, try playing with
wgetusing--save-cookies,--load-cookies, and--debugto see what's going on.You'll likely find that in fact most sites are using some combination of
Set-Cookiefrom the older RFC spec with "Host" values, implicitly without a leading dot (as twitter.com does) or setting Domain values (with a leading dot) and redirecting to a server likewww.example.com(as google.com does).JamesRyan : so how do www.example.com and example.com (which commonly point to the same site) use the same cookies? The leading . cannot be required in most browsers otherwise this common usage would not work.medina : Leading dot is only forced by the more recent RFC. example.com can set cookies for "example.com" and ".example.com"; the latter can be read by www.example.com. Use the wget commands shown to see what's happening.From medina
0 comments:
Post a Comment