What are valid values for the domain attribute of a cookie? - cookies

I can't find any good source that exlains what valid values for the domain attribute of a cookie are when it gets set. They all just explain where cookies set for domain x are sent to. But I want to know
is www.example.com allowed to set a cookie with Domain example.com?
is example.com allowed to set a cookie with Domain www.example.com?
is www.example.com allowed to set a cookie with Domain www2.example.com?
is example.com allowed to set a cookie with Domain example.org?
is example.com allowed to set a cookie with Domain com?
Is https://publicsuffix.org/ relevant here for the site context?
Thx

Related

Cookie behavior in Django

I've been doing some research on cookies in Django for some time now.
However, I don't understand the following.
The default setting in django for the SESSION_COOKIE_DOMAIN is None so the domain attribute will be empty.
Django sets the session cookie in the session middleware:
response.set_cookie(
# ...
domain=settings.SESSION_COOKIE_DOMAIN,
)
The set_cookie function from the response object has the following relevant part if the domain is None which is the default setting in Django:
if domain is not None:
self.cookies[key]['domain'] = domain
Therefore, I assume that the domain in the cookie header is omitted.
I've read this great article about cookies and user2864740 made a nice conclusion about it:
"When no domain is set in the cookie, the cookie should only match the exact host name of the request.
No sub domains, no partial matches.
This means simply not including the domain attribute – it is not valid to set an empty domain attribute."
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
2.) Let's assume I own the domain example.com
I don't modify the default settings from django so SESSION_COOKIE_DOMAIN is None
If I inspect the cookies for the domain example.com I see the following:
Name: sessionid
Value: XXXXXX
Host: example.com
I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
Is it basically the same if the cookie domain is example.com because it will produce the same behaviour as with a preceding dot?
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
The code you just pointed to makes clear that no domain is set in the response; the key is simply not included. What would be invalid (more precisely, "undefined"), would be including the key Domain but leaving out an attribute value. Django doesn't do that.
2.) I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
First, you have that backwards. RFC 6265 says that a leading dot "is not permitted" (though it will simply be ignored if it's there).
Secondly, the cookie details you've shown don't include a Domain key. "Host" is not a cookie attribute; that's presumably just Chrome telling you where the cookie came from.
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
Right.

ColdFusion setting cookies on a specific subdomain

I have a domain www.example.com with two sub domains
foo.example.com
bar.example.com
I want to set a cookie for all subdomains except foo.example.com , Any help is greatly appreciated!!
Currently I have tried,
<cfcookie name="cookieName" value="cookieValue" expires="never" domain=".example.com" path="/">
But it sets this cookie on all sub-domains.
If I understand your question correctly, you wish for a cookie set on foo.example.com to be read by both foo.example.com and example.com but not by bar.example.com. I don't think you can do this - at least not using the native application of domain cookies. The domain cookies allow a cookie set in a parent to be read by subsequent children. Since foo and bar are both children of example.com in the heirarchy, they would be able to read a domain wide cookie.

Modifying cookie domain in Google Tag Manager from ".example.com" to "example.com"

on my website I have Google Tag Manager with a GA Universal Analytics Tag installed. All images on the site are on a dedicated subdomain: images.example.com
My issue is that Analytics sets its _ga cookie to ".example.com" so it is sent along with all requests to images.example.com. I would like to set the cookie domain to "example.com" (without the dot) so it does not apply to my image-only subdomain.
I have already set the "Cookie Domain" setting to a macro which is a constant with the value "domain.com" and even though the container is properly published the cookie domain remains ".example.com"
Do you guys have any hints on how I could change the cookie domain?
Use the cookie domain "none"
This will set a host-only cookie which will not be sent for all subdomains. Except in IE.
See the localhost example here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/domains

How to stop domain cookies being used for subdomains?

I have a setup with the following domains:
mydomain.com
www.mydomain.com
There is one problem (tested on Internet Explorer):
if some cookie is set for mydomain.com, this cookie is also effective for www.mydomain.com even if I set a cookie with the same name for www.mydomain.com.
More specific examople:
1) the user chooses his prefered language on website mydomain.com and I set the cookie usrlng=en
2) next day someone else uses the same computer, naviagtes to www.mydomain.com and chooses his language, and I set the usrlng=de. But Internet Explorer keeps sending both cookies usrlng=en and usrlng=de to the server (I see this in Fiddler)! Why is it sending the same cookie twice and not overriding 'usrlng' with the subdomain value?
At the same time I see that PHPSESSID is being overwritten correctly for the subdomain, there are no two PHPSESSID cookies being sent to the server.
How can I fix the usrlng cookie and make it work the same way as PHPSESSID works?
You can also set a different save_path for each... so they don't share the sessions.
PHP example:
$subdomain = array_shift(explode('.',$_SERVER['HTTP_HOST']));
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
PHP needs access to write in the sessions directory.
For now I solved the problem by setting the 'host' of the cookie instead of 'domain'; 'host' property allowed to limit the cookie to mydomain.com or www.mydomain.com.
Maybe that is the only way to go and 'domain' cannot be set up to oveeride top level domain cookies.

Is it possible to share a cookie between a domain and a subsubdomain

I'm trying to share a cookie between www.example.com and admin.other.example.com
I've being able to make it work with other.example.com, but there's no way to access the sub-sub-domain
Edit: I handle subdomains by defining the cookie domain as .example.com (note the first dot)
You can only share cookies between a domain and its own subdomains.
For example:
a cookie defined for the domain example.com can be accessed by www.example.com and foo.bar.example.com
a cookie defined for the domain www.example.com can be accessed by foo.www.example.com but not by bar.example.com