I've been doing some research on cookies in Django for some time now.
However, I don't understand the following.
The default setting in django for the SESSION_COOKIE_DOMAIN is None so the domain attribute will be empty.
Django sets the session cookie in the session middleware:
response.set_cookie(
# ...
domain=settings.SESSION_COOKIE_DOMAIN,
)
The set_cookie function from the response object has the following relevant part if the domain is None which is the default setting in Django:
if domain is not None:
self.cookies[key]['domain'] = domain
Therefore, I assume that the domain in the cookie header is omitted.
I've read this great article about cookies and user2864740 made a nice conclusion about it:
"When no domain is set in the cookie, the cookie should only match the exact host name of the request.
No sub domains, no partial matches.
This means simply not including the domain attribute – it is not valid to set an empty domain attribute."
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
2.) Let's assume I own the domain example.com
I don't modify the default settings from django so SESSION_COOKIE_DOMAIN is None
If I inspect the cookies for the domain example.com I see the following:
Name: sessionid
Value: XXXXXX
Host: example.com
I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
Is it basically the same if the cookie domain is example.com because it will produce the same behaviour as with a preceding dot?
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
The code you just pointed to makes clear that no domain is set in the response; the key is simply not included. What would be invalid (more precisely, "undefined"), would be including the key Domain but leaving out an attribute value. Django doesn't do that.
2.) I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
First, you have that backwards. RFC 6265 says that a leading dot "is not permitted" (though it will simply be ignored if it's there).
Secondly, the cookie details you've shown don't include a Domain key. "Host" is not a cookie attribute; that's presumably just Chrome telling you where the cookie came from.
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
Right.
Related
I'm trying to use a subdomain cross site cookie with django but I cannot get it, I am in a valid subdomain but it doesn't seems to be useful.
Thie is my conf:
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_DOMAIN = '.ngrok.io'
This is the headers from the browser:
But I get the message:
This set-cookie domain attribute was invalid with regards to the current host url
How can I do to make it work?
As says in this answer there is a newer specification for cookies (RFC 6265). The old specification can let you share a cookie sent it from a subdomain "sub.domain.com" or "domain.com" with domain=.domain.com to share between domains and subdomains, but the newer specification can let you share by domain and subdomain only if you sent the cookie from "domain.com" with SameSite=None and domain=domain.com
on my website I have Google Tag Manager with a GA Universal Analytics Tag installed. All images on the site are on a dedicated subdomain: images.example.com
My issue is that Analytics sets its _ga cookie to ".example.com" so it is sent along with all requests to images.example.com. I would like to set the cookie domain to "example.com" (without the dot) so it does not apply to my image-only subdomain.
I have already set the "Cookie Domain" setting to a macro which is a constant with the value "domain.com" and even though the container is properly published the cookie domain remains ".example.com"
Do you guys have any hints on how I could change the cookie domain?
Use the cookie domain "none"
This will set a host-only cookie which will not be sent for all subdomains. Except in IE.
See the localhost example here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/domains
I have a setup with the following domains:
mydomain.com
www.mydomain.com
There is one problem (tested on Internet Explorer):
if some cookie is set for mydomain.com, this cookie is also effective for www.mydomain.com even if I set a cookie with the same name for www.mydomain.com.
More specific examople:
1) the user chooses his prefered language on website mydomain.com and I set the cookie usrlng=en
2) next day someone else uses the same computer, naviagtes to www.mydomain.com and chooses his language, and I set the usrlng=de. But Internet Explorer keeps sending both cookies usrlng=en and usrlng=de to the server (I see this in Fiddler)! Why is it sending the same cookie twice and not overriding 'usrlng' with the subdomain value?
At the same time I see that PHPSESSID is being overwritten correctly for the subdomain, there are no two PHPSESSID cookies being sent to the server.
How can I fix the usrlng cookie and make it work the same way as PHPSESSID works?
You can also set a different save_path for each... so they don't share the sessions.
PHP example:
$subdomain = array_shift(explode('.',$_SERVER['HTTP_HOST']));
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
PHP needs access to write in the sessions directory.
For now I solved the problem by setting the 'host' of the cookie instead of 'domain'; 'host' property allowed to limit the cookie to mydomain.com or www.mydomain.com.
Maybe that is the only way to go and 'domain' cannot be set up to oveeride top level domain cookies.
if I have a domain example.com, is there any way to make cookies valid only for that specific domain and not for sub-domains like www.example.com?
I know I can set it to only www.example.com, but can it be without a sub-domain?
Cookies are identified by the combination of their name, domain, and path. So if set correctly, you can limit it's scope to a specific domain/sub-domain and path.
Read Wiki's HTTP Cookie's Attribute Section
or RFC2965
Strictly speaking a cookie carrying the qualifier ";domain=example.com" should not be visible to the "www.domain.com" domain. Whereas ";domain=.example.com" would be visible to the www host.
However I would be very wary of this. I haven't tested this recently but I wouldn't be surprised to see some browsers not conforming properly to this.
Can you set a cookie only for domain.tld and www.domain.tld so that if you go to any other subdomain (bla.doamin.tld for example) the cookie won't be set?
Only if you specify .domain.tld a cookie works for all sub-domains. Setting the cookie for www.domain.tld AND domain.tld should be just what you need.
You can do this. It's mentioned in this cookie spec: http://curl.haxx.se/rfc/cookie_spec.html
When searching the cookie list for valid cookies, a comparison of the domain attributes of the cookie is made with the Internet domain name of the host from which the URL will be fetched. If there is a tail match, then the cookie will go through path matching to see if it should be sent. "Tail matching" means that domain attribute is matched against the tail of the fully qualified domain name of the host. A domain attribute of "acme.com" would match host names "anvil.acme.com" as well as "shipping.crate.acme.com".
I think this isn't possible. I would abstract your cookie-setting-functionality and just set two cookies. One for www.example.org and one for example.org.