Reputation: 30995
Share cookies between subdomain and domain
I have two questions. I understand that if I specify the domain as .example.com (with the leading dot) in the cookie that all subdomains can share a cookie.
Can subdomain.example.com access a cookie created in example.com (without the www subdomain)?
Can example.com (without the www subdomain) access the cookie if created in subdomain.example.com?
Upvotes: 761
Views: 651205
Answers (6)
Reputation: 42458
If you set a cookie like this:
Set-Cookie: name=value
then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a "host only" cookie?)
Two different domains (e.g. example.com and subdomain.example.com, or sub1.example.com and sub2.example.com) can only share cookies if the domain attribute is present in the header:
Set-Cookie: name=value; domain=example.com
The domain attribute must domain-match the request URL for it to be valid, which basically means it must be the request domain or a superdomain (i.e. further up the domain hierarchy). So this applies for both examples in the question, as well as sharing between two separate subdomains.
This cookie would then be sent for example.com and any subdomain of example.com, including nested subdomains like subsub.subdomain.example.com. The same domain-matching logic is used to decide whether to send the cookie. (Bear in mind there are other attributes that could restrict the scope of the cookie and when it gets sent by the browser, like path or Secure).
Because of the way the domain-matching works, if you want sub1.example.com and sub2.example.com to share cookies, then you'll also share them with sub3.example.com.
See also:
- www vs no-www and cookies
- setcookie.net: a site where you can try it out (disclaimer: developed by me, for this question)
A note on leading dots in domain attributes: In the early RFC 2109, only domains with a leading dot (domain=.example.com) could be used across subdomains. But this could not be shared with the top-level domain, so what you ask was not possible in the older spec.
However, the newer specification RFC 6265 ignores any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain. Some browsers will show a leading dot in developer tools to differentiate between host-only cookies and other cookies, but this is for display purposes only.
Upvotes: 1169
Reputation: 18594
I'm not sure cmbuckley's answer is showing the full picture. What I read is:
Unless the cookie's attributes indicate otherwise, the cookie is returned only to the origin server (and not, for example, to any subdomains), and it expires at the end of the current session (as defined by the user agent). User agents ignore unrecognized cookie.
Also
8.6. Weak Integrity
Cookies do not provide integrity guarantees for sibling domains (and
their subdomains). For example, consider foo.example.com and
bar.example.com. The foo.example.com server can set a cookie with a
Domain attribute of "example.com" (possibly overwriting an existing
"example.com" cookie set by bar.example.com), and the user agent will
include that cookie in HTTP requests to bar.example.com. In the
worst case, bar.example.com will be unable to distinguish this cookie
from a cookie it set itself. The foo.example.com server might be
able to leverage this ability to mount an attack against
bar.example.com.
To me that means you can protect cookies from being read by subdomain/domain but cannot prevent writing cookies to the other domains. So somebody may rewrite your site cookies by controlling another subdomain visited by the same browser. Which might not be a big concern.
Awesome cookies test site provided by cmbuckley and for those that missed it in his answer like me; worth scrolling up.
Upvotes: 52
Reputation: 7483
Please everyone note that you can set a cookie from a subdomain on a domain.
(sent in the response for requesting subdomain.example.com)
Set-Cookie: name=value; Domain=example.com // GOOD
But you can't set a cookie from a domain on a subdomain.
(sent in the response for requesting example.com)
Set-Cookie: name=value; Domain=subdomain.example.com // Browser rejects cookie
Why?
According to the specifications, RFC 6265 section 5.3.6 Storage Model,
If the canonicalized request-host does not domain-match the domain-attribute: Ignore the cookie entirely and abort these steps.
and RFC 6265 section 5.1.3 Domain Matching,
Domain Matching
A string domain-matches a given domain string if at least one of the following conditions hold:
The domain string and the string are identical. (Note that both the domain string and the string will have been canonicalized to lower case at this point.)
All of the following conditions hold:
* The domain string is a suffix of the string. * The last character of the string that is not included in the domain string is a %x2E (".") character. * The string is a host name (i.e., not an IP address).
So subdomain.example.com domain-matches example.com, but example.com does not domain-match subdomain.example.com
Check this answer also.
Upvotes: 166
Reputation: 5471
Here is an example using the DOM cookie API, so we can see the behavior for ourselves.
If we execute the following JavaScript code,
document.cookie = "key=value"
it appears to be the same as executing:
document.cookie = "key=value;domain=example.com"
The cookie key becomes available (only) on the domain example.com.
Now, if you execute the following JavaScript code on example.com,
document.cookie = "key=value;domain=.example.com"
the cookie key becomes available to example.com as well as subdomain.example.com.
Finally, if you were to try and execute the following on subdomain.example.com,
document.cookie = "key=value;domain=.example.com"
does the cookie key become available to subdomain.example.com? I was a bit surprised that this is allowed; I had assumed it would be a security violation for a subdomain to be able to set a cookie on a parent domain.
Upvotes: 30
Reputation: 99
In both cases, yes, it can, and this is the default behaviour for both Internet Explorer and Edge.
The other answers add valuable insight, but they chiefly describe the behaviour in Chrome. It's important to note that the behaviour is completely different in Internet Explorer. CMBuckley's very helpful test script demonstrates that in (say) Chrome, the cookies are not shared between root and subdomains when no domain is specified.
However, the same test in Internet Explorer shows that they are shared. This Internet Explorer case is closer to the take-home description in CMBuckley's www-or-not-www link. I know this to be the case because we have a system that used different servicestack cookies on both the root and subdomain. It all worked fine until someone accessed it in Internet Explorer and the two systems fought over whose session cookie would win until we blew up the cache.
Upvotes: 3
Reputation: 1678
Be careful if you are working on localhost! If you store your cookie in JavaScript like this:
document.cookie = "key=value;domain=localhost"
It might not be accessible to your subdomain, like sub.localhost. In order to solve this issue you need to use VirtualHost. For example, you can configure your virtual host with ServerName localhost.com, and then you will be able to store your cookie on your domain and subdomain like this:
document.cookie = "key=value;domain=localhost.com"
Upvotes: 9
Related Questions
- Can subdomain.example.com set a cookie that can be read by example.com?
- Share cookies to subdomain on localhost
- Domain set cookie for subdomain
- Share cookie between domains
- How to share cookie between domain and subdomain, but not other subdomains
- make cookie persist across subdomain
- Cookie for subdomain
- Set cookie from main domain for subdomain
- Is it possible to share a cookie between a domain and a subsubdomain
- Cross subdomain cookie handling for session?