## March 3, 2016 by dc

There are some RFCs about HTTP state management: RFC2109, RFC2965, RFC6265.

My environment is Chrome Version 47.0.2526.106 (64-bit), I use tornado set cookies.

As the RFC content, if you provide domain field in Set-Cookie, you should keep a dot at the beginning of domain name, if you forget, the http client should help you. You can ignore domain field, then the domain value will be set as same as request host.

## without domain

This is set by Set-Cookie:a=a; Path=/, Domain value is the request host.

## with domain

This is set by Set-Cookie:a=b; Domain=.dev.dmright.com; Path=/, I added a dot at the beginning, you will find, the domain with a dot and the domain without dot are different, even though you set same name.

What if I set cookie with domain but without dot?

## with domain but without dot

This is set by Set-Cookie:a=c; Domain=dev.dmright.com; Path=/, you will find the second scenario cookie is overrided, as the RFC says, if you forget a dot at the beginning, client will do that for you.

The with-dot domain can match subdomain of it, e.g, the .dev.dmright.com will be sent to server when the request uri is x.dev.dmright.com, but the without-dot domain will not.

Best practice: always set cookie without domain, or you know what you want.