I would like to know what is a host only cookie.
While retrieving a form auth, browser gets in the headers a JSESSIONID cookie shown as host only.
Asked
Active
Viewed 4.3k times
44
jacktrades
- 6,766
- 13
- 50
- 80
3 Answers
75
First of all, it is not possible for foo.com to set a cookie that can be read by bar.com. Host-only only protects example.com cookies from being read by bar.example.com.
From RFC 6265 regarding setting a cookie and its Domain attribute:
If the domain-attribute is non-empty: If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps. Otherwise: Set the cookie's host-only-flag to false. Set the cookie's domain to the domain-attribute. Otherwise: Set the cookie's host-only-flag to true. Set the cookie's domain to the canonicalized request-host.
What this means
The above can be summed up by "Host-only is the default". That is, if Domain is not specified, the cookie can only be read by the exact domain that has set the cookie. This can be loosened by setting the Domain attribute when setting a cookie.
For example, if the cookie is set by www.example.com and the Domain attribute is not specified, the cookie will be set with domain www.example.com and the cookie will be a host only cookie.
Another example: If the cookie is set by www.example.com and the Domain attribute is specified as example.com (so the cookie will be sent to foo.example.com too), the cookie will be set with domain example.com (or possibly .example.com by some browsers that use the dot from the previous RFC 2109 to denote not host-only) and the cookie will not be a host only cookie.
Sending of cookies is covered in section 5.4 regarding the when the cookie header is sent by the browser:
The cookie's host-only-flag is true and the canonicalized
request-host is identical to the cookie's domain.
Or:
The cookie's host-only-flag is false and the canonicalized
request-host domain-matches the cookie's domain.
So a cookie with domain example.com and host-only as false is sent to foo.example.com . If host-only is true, the example.com cookie is sent to example.com only.
SilverlightFox
- 28,804
- 10
- 63
- 132
-
3Just ran into this on a client's website and went to look it up. Your comment is clear and understandable. Props for it. – spoorlezer Mar 31 '15 at 10:54
-
Excellent description, thank you. It's worth noting that IE deliberately does not support this (https://blogs.msdn.microsoft.com/ieinternals/2009/08/20/internet-explorer-cookie-internals-faq/) and even latest IE 11 still sends cookies to subdomains even if the domain attribute was set. – sparrowt Mar 02 '17 at 15:44
-
The last sentence is wrong. It should be: "So a cookie with domain `example.com` and `host-only` as `false` is sent to `foo.example.com` . If `host-only` is `true`, the `example.com` is sent to `example.com` only." – SkrewEverything Sep 13 '20 at 08:09
-
@SkrewEverything Well spotted. The first one to spot my *_deliberate_ mistake in five years! *cough – SilverlightFox Sep 14 '20 at 08:16
-
1@sparrowrt this did eventually (after your comment) get fixed in IE and Edge: “By Windows 10 RS4 (April 2018), both Edge and Internet Explorer match other browsers.” (from the FAQ you linked to) – Neil Madden Nov 09 '20 at 09:27
12
Host Only cookie means that the cookie should be handled by the browser to the server only to the same host/server that firstly sent it to the browser.
You don't want to send this host only cookie for ad campaigns, as it might contain sensitive information.
jacktrades
- 6,766
- 13
- 50
- 80
-
1Your answer came 3 years after SilverLightFox's and is in every way not as good (and even a bit misleading). I have no idea why you decided to write your own answer instead of selecting the other. – MyUsername112358 May 20 '20 at 15:00
-
8@MyUsername112358 You have it backwards. SilverLightFox's answer came out just over 2 years after this one. – Mark Ormston Jul 20 '20 at 19:00
1
The cookie's host-only-flag is true and the canonicalized request-host is identical to the cookie's domain.
Suriya
- 625
- 7
- 17