Domain set cookie for subdomain

by

No. Besides that fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com) (see update below) the cookie would get rejected:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.

Update    The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:

[…] if the value of the Domain attribute is
example.com“, the user agent will include the cookie in the Cookie
header when making HTTP requests to example.com, www.example.com, and
www.corp.example.com. (Note that a leading %x2E (“.“), if present,
is ignored even though that character is not permitted, but a
trailing %x2E (“.“), if present, will cause the user agent to ignore
the attribute.)

[…] the user agent will accept a cookie with a
Domain attribute of “example.com” or of “foo.example.com” from
foo.example.com, but the user agent will not accept a cookie with a
Domain attribute of “bar.example.com” or of “baz.foo.example.com“.

More Related Contents:

  1. Share cookie between subdomain and domain
  2. How do browser cookie domains work?
  3. How to detect server-side whether cookies are disabled
  4. Why is it common to put CSRF prevention tokens in cookies?
  5. How to handle multiple cookies with the same name?
  6. Correct way to delete cookies server-side
  7. Cookie handling in Google Apps Script – How to send cookies in header?
  8. Why can’t I set a cookie and redirect?
  9. How are cookies passed in the HTTP protocol?
  10. How do I create a persistent vs a non-persistent cookie?
  11. Save cookies between two curl requests
  12. How does cookie “Secure” flag work?
  13. Share cookies between subdomain and domain
  14. Share a cookie between two websites
  15. Reading cookies via HTTPS that were set using HTTP
  16. Sending browser cookies during a 302 redirect
  17. What is the difference between server side cookie and client side cookie?
  18. Is a URL with // in the path-section valid?
  19. Should cookie values be URL encoded?
  20. Is it possible to set more than one cookie with a single Set-Cookie?
  21. What is the maximum length of a URL in different browsers?
  22. Detecting the character encoding of an HTTP POST request
  23. How can I get the clients IP address from HTTP headers?
  24. How many socket connections can a web server handle?
  25. REST response code for invalid data
  26. How can I find out whether a server supports the Range header?
  27. REST, HTTP DELETE and parameters
  28. What is the boundary parameter in an HTTP multi-part (POST) Request?
  29. How to send NULL in HTTP query string?
  30. Console errors. Failed to load resource: net::ERR_INSECURE_RESPONSE

Leave a Comment