Cookies and subdomains for cookieless domains - http

I have set (I use PHP) my cookies' domain to be www.example.com - but will those cookies be sent back to the static.www.example.com? From what I've read already the answer is a depressing 'yes'.
The reason is that I'm trying to implement a static subdomain for CSS/images without resorting to buying an entire new domain (eg www.example-static.com)

From what I've read already the answer is a depressing 'yes'.
That's correct. If you set the cookie domain to www.example.com it will be sent to *.www.example.com.
Using static-www.example.com would work as expected and the cookie will not be sent to this subdomain.

Related

Domain in cookies

I'm not sure so please explaine me if you know. I have problem with domain in Cookies.
According to the newewst rfc 6265 document it doesn't matter if domain in cookie starting with 'dot' or not.
For example:
Set-Cookie: example.com means the same as .example.com and it's valid for all subdomains like something.example.com and of course example.com .
So I have a question. How about "www"... If client have cookie setting to www.example.com -> client shouldn't send cookie for "example.com"??? But should send to: www.example.com???
Or maybe "www." is ignored too?
Could you explain me that? I can't find the answer.
Thank you.
No, there's nothing special about www; it works the same as any other subdomain. www.example.com is different to example.com as far as cookies are concerned. Regardless of your opinion, that is the fact. www as a subdomain is not special.
This is an important point, and does catch a lot of beginners out, particularly when they write links in their sites with the full domain name. If you navigate from www.example.com/index.html to example.com/nextpage.html, your cookies may not be visible on the second page if the cookies were created on the index page in the www subdomain.
You say you've already read the RFC, but you might find that this answer gives a little more clarification on it.
Hope that helps.

How to get the Cookie of different domain in a web browser using vb.net

I have one web application running two different domain like example.com and test.example.com.I have created a cookie for example.com.I have seen in Firefox that the browser create a folder named "example.com" which contain the cookie .But when I go through test.example.com it create a new cookie folder named "test.example.com" .Does it possible to get the cookie of "example.com" folder in "test.example.com" folder (I mean when I go through "test.example.com" if the cookie exists in "example.com"). Please let me know if there is any way.Thanks in advanced.
You can do the other way around. Create the test.example.com cookie using the .example.com domain.
see: Can subdomain.example.com set a cookie that can be read by example.com?

cookie domain getting changed, only one cookie with '.' one without

I am explicitly setting a cookie domain so it is shared between the domain and a sub domain. Think mysite.com and payment.mysite.com. Sometimes I get two session cookies when I only have one specified. When looking in firefox the domains on the cookies are different, one is "mysite.com" and the other is ".mysite.com" how does this happen? I am setting the domain to mysite.com but it is trimmed from one.
I am using asp.net.
Thanks
It depens what you specify as a domain in setcookie function. Please take a look at the description in here http://php.net/setcookie.

Can subdomain.example.com set a cookie that can be read by example.com?

I simply cannot believe this is quite so hard to determine.
Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.
subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.
Can anyone clarify what the rules really are?
Yes.
If you make sure to specify that the domain is .example.com, then *.example.com and example.com can access it.
It's that principle that allows websites that issue cookies when somebody goes to www.website.com to access cookies when someone leaves off the www, going to website.com.
EDIT: From the PHP documentation about cookies:
domain The domain that the cookie is
available. To make the cookie
available on all subdomains of
example.com then you'd set it to
'.example.com'. The . is not required
but makes it compatible with more
browsers. Setting it to
www.example.com will make the cookie
only available in the www subdomain.
Refer to tail matching in the ยป spec
for details.
http://php.net/manual/en/function.setcookie.php
And it's not unique to PHP.

Setting cookies for multiple sub-domains

Is it possible to set a cookie for http://www.example.com from a PHP file located at https://secure.example.com? I have some code that was given to me, that appears to try and fails at this. I was wondering if this is possible at all.
Webpages can only set cookies for the second (or higher) level domain that they belong to.
This means that secure.example.com can read and set cookies for secure.example.com or .example.com, the latter of which can also be read and set by www.example.com
One last note: If the secure flag is set on a cookie, it can only be read and set over an https connection.
If you set the cookie domain to ".example.com", the cookie will work for all subdomains.

Resources