How do browser cookie domains work?

Question

Due to weird domain/subdomain cookie issues that I\'m getting, I\'d like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know

Answer 1

The last (third to be exactly) RFC for this issue is RFC-6265 (Obsoletes RFC-2965 that in turn obsoletes RFC-2109).

According to it if the server omits the Domain attribute, the user agent will return the cookie only to the origin server (the server on which a given resource resides). But it's also warning that some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name (For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well).

When the Domain attribute have been specified, it will be treated as complete domain name (if there is the leading dot in attribute it will be ignored). Server should match the domain specified in attribute (have exactly the same domain name or to be a subdomain of it) to get this cookie. More accurately it specified here.

So, for example:

• cookie attribute Domain=.example.com is equivalent to Domain=example.com
• cookies with such Domain attributes will be available for example.com and www.example.com
• cookies with such Domain attributes will be not available for another-example.com
• specifying cookie attribute like Domain=www.example.com will close the way for www4.example.com

PS: trailing comma in Domain attribute will cause the user agent to ignore the attribute =(