I have two questions. I understand that if I specify the domain as
The 2 domains
subdomain.mydomain.com can only share cookies if the domain is explicitly named in the
Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.
For instance, if you sent the following header from
Then the cookie won't be sent for requests to
mydomain.com. However if you use the following, it will be usable on both domains:
Set-Cookie: name=value; domain=mydomain.com
In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (
.mydomain.com) would allow it to be used across subdomains.
However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
In summary, if you set a cookie like the second example above from
mydomain.com, it would be accessible by
subdomain.mydomain.com, and vice versa.