Share cookie between subdomain and domain

前端 未结 7 1798
伪装坚强ぢ
伪装坚强ぢ 2020-11-21 13:58

I have two questions. I understand that if I specify the domain as .mydomain.com (with the leading dot) in the cookie that all subdomains can share a cookie.

7条回答
  •  慢半拍i
    慢半拍i (楼主)
    2020-11-21 14:22

    Please everyone note that you can set a cookie from a subdomain on a domain.

    (sent in the response for requesting subdomain.mydomain.com)

    Set-Cookie: name=value; Domain=mydomain.com // GOOD
    

    But you CAN'T set a cookie from a domain on a subdomain.

    (sent in the response for requesting mydomain.com)

    Set-Cookie: name=value; Domain=subdomain.mydomain.com // Browser rejects cookie
    

    WHY ?

    According to the specifications RFC 6265 section 5.3.6 Storage Model

    If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps.

    and RFC 6265 section 5.1.3 Domain Matching

    Domain Matching

    A string domain-matches a given domain string if at least one of the following conditions hold:

    1. The domain string and the string are identical. (Note that both the domain string and the string will have been canonicalized to lower case at this point.)

    2. All of the following conditions hold:

      • The domain string is a suffix of the string.

      • The last character of the string that is not included in the domain string is a %x2E (".") character.

      • The string is a host name (i.e., not an IP address).

    So "subdomain.mydomain.com" domain-matches "mydomain.com", but "mydomain.com" does NOT domain-match "subdomain.mydomain.com"

    Check this answer also.

提交回复
热议问题