How do browser cookie domains work?

Question

Due to weird domain/subdomain cookie issues that I\'m getting, I\'d like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know

Answer 1

The previous answers are a little outdated.

RFC 6265 was published in 2011, based on the browser consensus at that time. Since then, there has been some complication with public suffix domains. I've written an article explaining the current situation - http://bayou.io/draft/cookie.domain.html

To summarize, rules to follow regarding cookie domain:

• The origin domain of a cookie is the domain of the originating request.

• If the origin domain is an IP, the cookie's domain attribute must not be set.

• If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.

• If a cookie's domain attribute is set,

  • the cookie is applicable to that domain and all its subdomains;
  • the cookie's domain must be the same as, or a parent of, the origin domain
  • the cookie's domain must not be a TLD, a public suffix, or a parent of a public suffix.

It can be derived that a cookie is always applicable to its origin domain.

The cookie domain should not have a leading dot, as in .foo.com - simply use foo.com

As an example,

• x.y.z.com can set a cookie domain to itself or parents - x.y.z.com, y.z.com, z.com. But not com, which is a public suffix.
• a cookie with domain=y.z.com is applicable to y.z.com, x.y.z.com, a.x.y.z.com etc.

Examples of public suffixes - com, edu, uk, co.uk, blogspot.com, compute.amazonaws.com