50

I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:

A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:

Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly

But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.

How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.

AndrewS
  • 7,252
  • 2
  • 36
  • 53
Jarus
  • 1,570
  • 2
  • 12
  • 21

2 Answers2

49

No. Besides that fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com) (see update below) the cookie would get rejected:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.

Update    The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:

[…] if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

[…] the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".

Alex W
  • 33,401
  • 9
  • 92
  • 97
Gumbo
  • 594,236
  • 102
  • 740
  • 814
13

The 2 domains example.com and foo.example.com can only share cookies if the domain is explicitly named in the Set-Cookie header. Otherwise, the scope of the cookie is restricted to the request host.

For instance, if you sent the following header from foo.example.com:

Set-Cookie: name=value

Then the cookie won't be sent for requests to example.com. However if you use the following, it will be usable on both domains:

Set-Cookie: name=value; domain=example.com

In RFC 2109, a domain without a leading dot meant that it could not be used on subdomains, and only a leading dot (.example.com) would allow it to be used across subdomains.

However, modern browsers respect the newer specification RFC 6265, and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

In summary, if you set a cookie like the second example above from example.com, it would be accessible by foo.example.com, and vice versa.

For more details : https://stackoverflow.com/a/23086139/5466401

Sibin John Mattappallil
  • 1,433
  • 2
  • 21
  • 35
  • 6
    What about sharing cookie between `foo1.example.com` and `foo2.example.com`? Is that possible without `foo3.example.com` getting it? – Dushyant Bangal Sep 25 '18 at 11:16
  • Have you got any solution for the same @DushyantBangal – PPB Jul 30 '19 at 09:06
  • @PranavBilurkar from the R&D I did, the server can only set a cookie for itself which is applicable `foo2.example.com` or its wildcard subdomain applicable for `*.foo2.example.com`. – Dushyant Bangal Aug 01 '19 at 09:45
  • 1
    @PranavBilurkar ... so to implement what I've mentioned, one will have to call API on both `foo1.example.com` and `foo2.example.com`, and they will set their respective cookies. – Dushyant Bangal Aug 01 '19 at 09:48
  • actually my problem is " I have 7 sites with `.example.com` which shares the cookie on all sites & i want to exclude to have shared cookie on `media.example.com` – PPB Aug 01 '19 at 09:51
  • @sibin Would it be recommended (and safe) to do something like a auth server like that? For example, I have a service `service.example.com` and a login page at `example.com`. Then, by setting a cookie at `example.com` when the user logs in, I will be able use that cookie from `service.example.com`. Is that fine? You can take that I have no other program using that `example.com` auth server. – RealZombs Apr 30 '21 at 13:16