Share cookie between subdomain and domain

by

If you set a cookie like this:

Set-Cookie: name=value

then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a host only cookie?)

Two different domains (e.g. mydomain.com and subdomain.mydomain.com, or sub1.mydomain.com and sub2.mydomain.com) can only share cookies if the domain attribute is present in the header:

Set-Cookie: name=value; domain=mydomain.com

The domain attribute must “domain-match” the request URL for it to be valid, which basically means it must be the request domain or a super-domain. So this applies for both examples in the question, as well as sharing between two separate subdomains.

This cookie would then be sent for any subdomain of mydomain.com, including nested subdomains like subsub.subdomain.mydomain.com. (Bear in mind there are other attributes that could restrict the scope of the cookie and when it gets sent by the browser, like path or Secure).

Because of the way the domain-matching works, if you want sub1.mydomain.com and sub2.mydomain.com to share cookies, then you’ll also share them with sub3.mydomain.com.

See also:

A note on leading dots in domain attributes: In the early RFC 2109, only domains with a leading dot (domain=.mydomain.com) could be used across subdomains. But this could not be shared with the top-level domain, so what you ask was not possible in the older spec.

However, the newer specification RFC 6265 ignores any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

More Related Contents:

  1. Share cookies between subdomain and domain
  2. How do browser cookie domains work?
  3. How to detect server-side whether cookies are disabled
  4. Why is it common to put CSRF prevention tokens in cookies?
  5. How to handle multiple cookies with the same name?
  6. Correct way to delete cookies server-side
  7. Cookie handling in Google Apps Script – How to send cookies in header?
  8. Why can’t I set a cookie and redirect?
  9. How are cookies passed in the HTTP protocol?
  10. How do I create a persistent vs a non-persistent cookie?
  11. Save cookies between two curl requests
  12. How does cookie “Secure” flag work?
  13. Domain set cookie for subdomain
  14. Share a cookie between two websites
  15. Reading cookies via HTTPS that were set using HTTP
  16. Sending browser cookies during a 302 redirect
  17. What is the difference between server side cookie and client side cookie?
  18. Is a URL with // in the path-section valid?
  19. Should cookie values be URL encoded?
  20. Is it possible to set more than one cookie with a single Set-Cookie?
  21. Escaping ampersand in URL
  22. Maximum on HTTP header values?
  23. Download multiple files with a single action
  24. How can I chain HTTP calls in Angular 2?
  25. HTTP test server accepting GET/POST requests
  26. How does “304 Not Modified” work exactly?
  27. Process Management for the Go Webserver
  28. What is Cache-Control: private?
  29. Custom HTTP Authorization Header
  30. Multiple HTTP Authorization headers?

Leave a Comment