March 3, 2016

cookies domain

There are some RFCs about HTTP state management: RFC2109, RFC2965, RFC6265.

My environment is Chrome Version 47.0.2526.106 (64-bit), I use tornado set cookies.

As the RFC content, if you provide domain field in Set-Cookie, you should keep a dot at the beginning of domain name, if you forget, the http client should help you. You can ignore domain field, then the domain value will be set as same as request host.

without domain

This is set by Set-Cookie:a=a; Path=/, Domain value is the request host. without domain

with domain

This is set by Set-Cookie:a=b;; Path=/, I added a dot at the beginning, you will find, the domain with a dot and the domain without dot are different, even though you set same name. with domain

What if I set cookie with domain but without dot?

with domain but without dot

This is set by Set-Cookie:a=c;; Path=/, you will find the second scenario cookie is overrided, as the RFC says, if you forget a dot at the beginning, client will do that for you. with domain but without dot

The with-dot domain can match subdomain of it, e.g, the will be sent to server when the request uri is, but the without-dot domain will not.

Best practice: always set cookie without domain, or you know what you want.

Powered by Hugo & Kiss.