How does a browser handle cookie with no path and no domain

前端未结
关注
 2  1185
南笙 2021-01-04 03:50
I have googled this a lot now and have found conflicting answers. So my question is: how does a browser handle an HTTP cookie that has no domain and no pa

      
      
        
          2条回答        

        
                    
            
            
                         
                
              
              
                
                   情书的邮戳
                                             
                
                
                (楼主)
            
              
              
                2021-01-04 04:34
              

            
            
                        
The accepted answer is incorrect in regards to one scenario:

And https://example.com/a?
No. Because /a is not under "directory" /a/b.

If you only care about Internet Explorer, that's true. If you care about the standard and browsers that comply with it, it isn't.
RFC 6265 provides the following algorithm for computing the default cookie path to use when a Path attribute is not present:

The user agent MUST use an algorithm equivalent to the following
algorithm to compute the default-path of a cookie:

Let uri-path be the path portion of the request-uri if such a
portion exists (and empty otherwise).  For example, if the
request-uri contains just a path (and optional query string),
then the uri-path is that path (without the %x3F ("?") character
or query string), and if the request-uri contains a full
absoluteURI, the uri-path is the path component of that URI.

If the uri-path is empty or if the first character of the uri-
path is not a %x2F ("/") character, output %x2F ("/") and skip
the remaining steps.

If the uri-path contains no more than one %x2F ("/") character,
output %x2F ("/") and skip the remaining step.

Output the characters of the uri-path from the first character up
to, but not including, the right-most %x2F ("/").



I've highlighted #4 becuase that's the part that matters. For a cookie set at uri-path /a/b, the "right-most" / is the one before the b. The algorithm says to stop there, hence the default cookie path is /a and therefore the cookie should get sent to https://example.com/a.
But as most web developers know, "should" is one thing and "does" is something else. So I wrote a small web app to test this exact scenario: Will a cookie without an explicit Path attribute that is set at /a/b be sent in requests to /a? Here's my findings (latest browser versions, Windows 10):
Chrome - yes
Firefox - yes
Edge - yes
Internet Explorer - no
    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它2个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复