Because of strange domain/subdomain cookie problems that I am getting, Let me understand how browsers handle snacks. When they get it done diversely, it might be also nice to understand the variations.

Quite simply - whenever a browser gets to be a cookie, that cookie Could have a domain along with a path mounted on it. Or otherwise, by which situation the browser most likely substitutes some defaults on their behalf. Question 1: what exactly are they?

Later, once the browser is going to create a request, it inspections its snacks and filters the ones it will send for your request. It will so by matching them from the demands path and domain. Question 2: do you know the matching rules?


Added:

The main reason I am asking the reason being I am thinking about some edge cases. Like:

  • Will a cookie for .example.com be accessible for world wide web.example.com?
  • Will a cookie for .example.com be accessible for example.com?
  • Will a cookie for example.com be accessible for world wide web.example.com?
  • Will a cookie for example.com be accessible for anotherexample.com?
  • Will world wide web.example.com have the ability to set cookie for example.com?
  • Will world wide web.example.com have the ability to set cookie for www2.example.com?
  • Will world wide web.example.com have the ability to set cookie for .com?
  • Etc.

Added 2:

Also, could someone suggest the way i should set a cookie to ensure that:

  • It may be set by either world wide web.example.com or example.com
  • It's accessible by both world wide web.example.com and example.com.

Although there's the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but simply comply towards the original specs by Netscape.

There's a distinction between your Domain attribute value and also the effective domain: the first kind is obtained from the Set-Cookie header area and also the latter may be the interpretation of this attribute value. Based on the RFC 2965, the next should apply:

  • When the Set-Cookie header area doesn't possess a Domain attribute, the effective domain may be the domain from the request.
  • If there's a Domain attribute present, its value will be utilized for effective domain (when the value doesn't begin with a . it will likely be added through the client).

Getting the effective domain it has to also domain-match the present asked for domain to be set otherwise the cookie is going to be modified. Exactly the same rule is applicable for selecting the snacks to become submitted a request.


Mapping this understanding on your questions, the next should apply:

  • Cookie with Domain=.example.com will be accessible for world wide web.example.com
  • Cookie with Domain=.example.com will be accessible for example.com
  • Cookie with Domain=example.com is going to be transformed into .example.com and therefore will be also readily available for world wide web.example.com
  • Cookie with Domain=example.com will not be accessible for anotherexample.com
  • world wide web.example.com will have the ability to set cookie for example.com
  • world wide web.example.com will not have the ability to set cookie for www2.example.com
  • world wide web.example.com will not have the ability to set cookie for .com

And also to set and browse a cookie for/by world wide web.example.com and example.com, place it for .world wide web.example.com and .example.com correspondingly. However the first (.world wide web.example.com) are only accessible for other domain names below that domain (e.g. foo.world wide web.example.com or bar.world wide web.example.com) where .example.com may also be utilized by every other domain below example.com (e.g. foo.example.com or bar.example.com).