adam0101 adam0101 - 3 months ago 16
HTTP Question

Share cookie between subdomain and domain

I have two questions. I understand that if I specify the domain as

.mydomain.com
(with the leading dot) in the cookie that all subdomains can share a cookie.

Can
subdomain.mydomain.com
access a cookie created in
mydomain.com
(without the "www" subdomain)?

Can
mydomain.com
(without the
www
subdomain) access the cookie if created in
subdomain.mydomain.com
?

Answer

The 2 domains mydomain.com and subdomain.mydomain.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.

For instance, if you sent the following header from subdomain.mydomain.com:

Set-Cookie: name=value

Then the cookie won't be sent for requests to mydomain.com. However if you use the following, it will be usable on both domains:

Set-Cookie: name=value; domain=mydomain.com

In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.mydomain.com) would allow it to be used across subdomains.

However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

In summary, if you set a cookie like the second example above from mydomain.com, it would be accessible by subdomain.mydomain.com, and vice versa.

See also: www vs no-www and cookies, this test script

Comments