How do browser cookie domains work?

Question

Due to weird domain/subdomain cookie issues that I\'m getting, I\'d like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know

Answer 1

For an extensive coverage review the contents of RFC2965. Of course that doesn't necessarily mean that all browsers behave exactly the same way.

However in general the rule for default Path if none specified in the cookie is the path in the URL from which the Set-Cookie header arrived. Similarly the default for the Domain is the full host name in the URL from which the Set-Cookie arrived.

Matching rules for the domain require the cookie Domain to match the host to which the request is being made. The cookie can specify a wider domain match by include *. in the domain attribute of Set-Cookie (this one area that browsers may vary). Matching the path (assuming the domain matches) is a simple matter that the requested path must be inside the path specified on the cookie. Typically session cookies are set with path=/ or path=/applicationName/ so the cookie is available to all requests into the application.

---

Response to Added:

• Will a cookie for .example.com be available for www.example.com? Yes
• Will a cookie for .example.com be available for example.com? Don't Know
• Will a cookie for example.com be available for www.example.com? Shouldn't but... *
• Will a cookie for example.com be available for anotherexample.com? No
• Will www.example.com be able to set cookie for example.com? Yes
• Will www.example.com be able to set cookie for www2.example.com? No (Except via .example.com)
• Will www.example.com be able to set cookie for .com? No (Can't set a cookie this high up the namespace nor can you set one for something like .co.uk).

* I'm unable to test this right now but I have an inkling that at least IE7/6 would treat the path example.com as if it were .example.com.