问题
I have been reading through How do browser cookie domains work? and the RFC at and it answered many of my questions about cookies. Not all of them though (though I'm sure the answer is in the RFC, I haven't been able to properly parse it). I have some more questions, which I will pose in the same format as the above question.
- should a cookie for
www.example.combe available towww.example.com/path? - should a cookie for
example.com/pathbe available forwww.example.com? - should
www.example.combe able to set a cookie forwww.example.com/path? - should a cookie for
www.example.com/pathbe available towww.example.com? - should
www.example.com/pathbe able to set a cookie forwww.example.com? - if a cookie is set for
www.example.comcontainingfoo=bar, and after that a cookie is set forexample.comcontainingfoo=bazshouldexample.combe sent the former, or the latter or both? - if a cookie is set for
www.example.comcontainingfoo=barthat expires in a day, then a cookie containingfoo=bazis set that will expire in 15 minutes, should after the latter cookie expires the former cookie be sent?
EDIT One more:
- if a cookie is set for
www.example.comcontainingfoo=bar, and after that a cookie is set forexample.comcontainingfoo=bazwhat cookie shouldwww.example.combe sent?
Also fixed second case
回答1:
- should a cookie for
www.example.combe available towww.example.com/path?
Yes
- should a cookie for
example.com/pathbe available forwww.example.com?
No
- should
www.example.combe able to set a cookie forwww.example.com/path?
(Yes) Most likely (Cookie Path is not a security feature)
- should a cookie for
www.example.com/pathbe available towww.example.com?
(No) The cookie will not be sent to www.example.com, but www.example.com can contain javascript that can fetch the cookie through an iframe. Again, cookie path is not a security feature.
- should
www.example.com/pathbe able to set a cookie forwww.example.com?
Yes
- if a cookie is set for
www.example.comcontainingfoo=bar, and after that a cookie is set forexample.comcontainingfoo=bazshouldexample.combe sent the former, or the latter or both?
Latter, because example.com does not have access to www.example.com's cookies.
- if a cookie is set for
www.example.comcontainingfoo=barthat expires in a day, then a cookie containingfoo=bazis set that will expire in 15 minutes, should after the latter cookie expires the former cookie be sent?
No, because the second cookie will overwrite the first.
- if a cookie is set for www.example.com containing foo=bar, and after that a cookie is set for example.com containing foo=baz what cookie should www.example.com be sent?
Unspecified behaviour. Either or both (concatenated) seems to be valid.
How to handle multiple cookies with the same name
Edit: Added answer to new question, corrected question 2 and changed answer.
来源:https://stackoverflow.com/questions/18460968/how-do-cookies-work-with-domains-paths-and-overriding