80

Let say I have a website with domain: www.example.com

If I set a cookie with path '/' the cookie will be accessible via all pages in the domain, eg:

  • www.example.com/page1.html
  • www.example.com/subfolder1/page1.html
  • www.example.com/subfolder1/moresubfolder1/page1.html, etc.

What if we set the cookie to path '/subfolder1', will the cookie will be made available to any page or subfolder beneath the folder? Eg:

  • www.example.com/subfolder1/moresubfolder/page1.html

So, if not, I guess, I have no choice but to use path '/' for those cookies, right?

Nordin
  • 2,647
  • 5
  • 25
  • 35

3 Answers3

81

If we set the cookie to path '/subfolder1', will the cookie will be made available to any page or subfolder beneath the folder?

Yes. The cookie will be available to all pages and subdirectories within the /subfolder1 path.

nilskp
  • 2,868
  • 1
  • 28
  • 33
Alex Barrett
  • 14,998
  • 3
  • 48
  • 51
  • 36
    See http://stackoverflow.com/questions/8014024/set-cookie-wildcard-path for the relevant specification. For those who didn't know, cookies are only accessible to the specified path and any subpaths, no superpaths. So cookies for the path "/folder/subfolder1/" are not accessible to "/folder/". I banged my head on this one for a bit. – Anson Kao Dec 14 '11 at 07:13
  • @SampleJACK ouch, that explains MY problem quite nicely! – RonLugge Mar 01 '13 at 21:23
  • @Alex, so how do we get a cookie that is for `/subfolder1` but **not** `/subfolder1/inner-folder`? – Pacerier Mar 05 '13 at 19:24
  • @Pacerier the answer we are commenting on is correct, were you asking something else? – Anson Kao Jun 06 '13 at 05:06
  • @SampleJACK how do we get a cookie that is for /subfolder1 but not /subfolder1/inner-folder? – Pacerier Jun 06 '13 at 08:17
  • As I understand it, that's not possible. Cookies apply to all lower paths (unless you set a different cookie for the lower down path, ie in our case on /subfolder1/inner-folder) – thepeer Jun 07 '17 at 10:33
13

if we set the cookie to path /subfolder1, the following pages in the example are accessible:

www.example.com/subfolder1/page1.html
www.example.com/subfolder1/moresubfolder1/page1.html
etc.

However, the page www.example.com/page1.html will not be accessible as it does not belong to the allowed path.

MCL
  • 3,785
  • 2
  • 22
  • 38
thefunfreak
  • 131
  • 1
  • 2
13

To remove some ambiguity by reusing a portion of this answer:

A request-path path-matches a given cookie-path if at least one of the following conditions holds:

  • The cookie-path and the request-path are identical.
  • The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").
  • The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie-
    path is a %x2F ("/") character.

There is a slight (but potentially important) difference between setting a cookie on the /subfolder1 path and the /subfolder1/ path.

If you rely on the former your request path needs to start with a "%x2F ("/") character" (a forward slash) to guarantee the desired behaviour. For an example, take a look at the linked answer.

Setting the cookie path to simply / avoids any edge cases, but as you say - the cookie would be accessible the entire domain.

Community
  • 1
  • 1
Michael
  • 7,210
  • 8
  • 47
  • 84
  • 1
    most informing answer – CybeX Oct 02 '17 at 21:41
  • what is the difference between `/subfolder1` and `/subfolder1/`? From the linked answer, the only difference is : the request path `/subfolder1KKK` also match cookie path `/subfolder1`, right? And different browser may has different behavior, e.g. IE match request path `/subfolder1KKK` to cookie path `/subfolder1`, but firefox will not, right? – frank Apr 22 '19 at 02:12