How do browser cookie domains work?

Question

Due to weird domain/subdomain cookie issues that I\'m getting, I\'d like to know how browsers handle cookies. If they do it in different ways, it would also be nice to know

Answer 1

Will www.example.com be able to set cookie for .com?

No, but example.com.fr may be able to set a cookie for example2.com.fr. Firefox protects against this by maintaining a list of TLDs: http://securitylabs.websense.com/content/Blogs/3108.aspx

Apparently Internet Explorer doesn't allow two-letter domains to set cookies, which I suppose explains why o2.ie simply redirects to o2online.ie. I'd often wondered that.

Answer 2

The RFCs are known not to reflect reality.

Better check draft-ietf-httpstate-cookie, work in progress.

Answer 3

I tested all the cases in the latest Chrome, Firefox, Safari in 2019.

Response to Added:

• Will a cookie for .example.com be available for www.example.com? YES
• Will a cookie for .example.com be available for example.com? YES
• Will a cookie for example.com be available for www.example.com? NO, Domain without wildcard only matches itself.
• Will a cookie for example.com be available for anotherexample.com? NO
• Will www.example.com be able to set cookie for example.com? NO, it will be able to set cookie for '.example.com', but not 'example.com'.
• Will www.example.com be able to set cookie for www2.example.com? NO. But it can set cookie for .example.com, which www2.example.com can access.
• Will www.example.com be able to set cookie for .com? NO