https://stackoverflow.com/questions/1062963/how-do-browser-cookie-domains-work

答案一

Although there is the RFC 2965 (Set-Cookie2, had already obsoleted RFC 2109) that should define the cookie nowadays, most browsers don’t fully support that but just comply to the original specification by Netscape.

There is a distinction between the Domain attribute value and the effective domain: the former is taken from the Set-Cookie header field and the latter is the interpretation of that attribute value. According to the RFC 2965, the following should apply:

  • If the Set-Cookie header field does not have a Domain attribute, the effective domain is the domain of the request.
  • If there is a Domain attribute present, its value will be used as effective domain (if the value does not start with a . it will be added by the client).

Having the effective domain it must also domain-match the current requested domain for being set; otherwise the cookie will be revised. The same rule applies for choosing the cookies to be sent in a request.


Mapping this knowledge onto your questions, the following should apply:

  • Cookie with Domain=.example.com will be available for www.example.com
  • Cookie with Domain=.example.com will be available for example.com
  • Cookie with Domain=example.com will be converted to .example.com and thus will also be available for www.example.com
  • Cookie with Domain=example.com will not be available for anotherexample.com
  • www.example.com will be able to set cookie for example.com
  • www.example.com will not be able to set cookie for www2.example.com
  • www.example.com will not be able to set cookie for .com

And to set and read a cookie for/by www.example.com and example.com, set it for .www.example.com and .example.com respectively. But the first (.www.example.com) will only be accessible for other domains below that domain (e.g. foo.www.example.com or bar.www.example.com) where .example.com can also be accessed by any other domain below example.com (e.g. foo.example.com or bar.example.com).

答案二

The previous answers are a little outdated.

RFC 6265 was published in 2011, based on the browser consensus at that time. Since then, there has been some complication with public suffix domains. I've written an article explaining the current situation - http://bayou.io/draft/cookie.domain.html

To summarize, rules to follow regarding cookie domain:

  • The origin domain of a cookie is the domain of the originating request.

  • If the origin domain is an IP, the cookie's domain attribute must not be set.

  • If a cookie's domain attribute is not set, the cookie is only applicable to its origin domain.

  • If a cookie's domain attribute is set,

    • the cookie is applicable to that domain and all its subdomains;
    • the cookie's domain must be the same as, or a parent of, the origin domain
    • the cookie's domain must not be a TLD, a public suffix, or a parent of a public suffix.

It can be derived that a cookie is always applicable to its origin domain.

The cookie domain should not have a leading dot, as in .foo.com - simply use foo.com

As an example,

  • x.y.z.com can set a cookie domain to itself or parents - x.y.z.com, y.z.com, z.com. But not com, which is a public suffix.
  • a cookie with domain=y.z.com is applicable to y.z.com, x.y.z.com, a.x.y.z.com etc.

Examples of public suffixes - com, edu, uk, co.uk, blogspot.com, compute.amazonaws.com

How do browser cookie domains work?的更多相关文章

  1. Browser Cookie Limits

    w https://cait.calarts.edu/hc/en-us/articles/217055138-Error-Maximum-Number-of-Cookie-Values-Reached ...

  2. Google上的Cookie Matching

    Cookie Matching This guide explains how the Cookie Matching Service enables you to make more effecti ...

  3. Browser security standards via access control

    A computing system is operable to contain a security module within an operating system. This securit ...

  4. IE/Firefox/Chrome等浏览器保存Cookie的位置

    IE/Firefox/Chrome等浏览器保存Cookie的位置 原文  http://smilejay.com/2013/04/browser-cookie-location/   前面写了篇长文( ...

  5. Network | Cookie and Session

    Cookies are arbitrary pieces of data chosen by the web server and sent to the browser. The browser r ...

  6. 【PC网站前端架构探讨系列】关于中小型PC网站前端架构方案的讨论与实践

    目   录 1.遇到的问题 2.目标 3.探讨 4.架构设想 5.流程 6.初步实现 7.存在问题 8.最后 遇到的问题 我在这个系列上篇文章 已经讲解并开始逐步应用模块化思想,不知大家还记不记得,题 ...

  7. Technical analysis of client identification mechanisms

    http://www.chromium.org/Home/chromium-security/client-identification-mechanisms Chromium‎ > ‎Chro ...

  8. Drupal启动阶段之一:配置

    配置是Drupal启动过程中的第一个阶段,通过函数_drupal_bootstrap_configuration()实现: function _drupal_bootstrap_configurati ...

  9. Android安全之Intent Scheme Url攻击

    0X01 前言 Intent scheme url是一种用于在web页面中启动终端app activity的特殊URL,在针对intent scheme URL攻击大爆发之前,很多android的浏览 ...

随机推荐

  1. Flask框架 之重定向、cookie和session

    一.URL重定向(redirect) @app.route("/login") def login(): # 使用url_for函数通过视图函数的名字找到url路径 url = u ...

  2. 02C++基本语法

    基本语法 2.1.1单行注释 // 2.1.2多行注释 /* * */ 2.1.3标识符 C++ 标识符是用来标识变量.函数.类.模块,或任何其他用户自定义项目的名称.一个标识符以字母 A-Z 或 a ...

  3. Python学会之后,一般能拿到多少工资?

    Python在约40年前出现以来,已经有数以千计基于这项技术的网站和软件项目,Python因其独有的特点从众多开发语言中脱颖而出,深受世界各地的开发者喜爱. 随着Python的技术的流行,Python ...

  4. 再读Android sqlite

    再读Android sqlite Android原生支持sqlite数据库操作,sqlite时轻量级关系型数据库,支持标准sql语句.Android对sqlite进行良好的接口封装来避免sql注入等安 ...

  5. 前端安全 xss

    整体的 XSS 防范是非常复杂和繁琐的,不仅需要在全部需要转义的位置,对数据进行对应的转义.而且要防止多余和错误的转义,避免正常的用户输入出现乱码. 虽然很难通过技术手段完全避免 XSS,但可以总结以 ...

  6. C++ string使用

    在c语言里,我们使用一个字符串时,是通过字符数组或者字符指针的方式来进行使用,在C++里,标准模板库已经给我们提供了string类型(string是以类的方式提供给我们使用). 定义和初始化strin ...

  7. 关于SPFA的双端队列优化

    7.11 Update 我做题的时候发现这样写会RE 因为在使用双端队列优化SPFA的时候 在将一个点加入队列的时候,如果队列已经空了 那么一旦出现dis[Q.front()]就会RE 可以这样修改 ...

  8. UVA - 1374 Power Calculus (dfs迭代加深搜索)

    题目: 输入正整数n(1≤n≤1000),问最少需要几次乘除法可以从x得到xn ?在计算过程中x的指数应当总是正整数. 思路: dfs枚举次数深搜 注意: 1.指数如果小于0,就退出当前的搜索 2.n ...

  9. eclipse 中导入 MyBatis 的源码

    (1)选中 Mybatis-3.2.2.jar ,右击,在弹出的快捷菜单中选择 “Properties” 选项,进入属性界面. (2)进入属性界面后,选中 “Java  Source Attachme ...

  10. gitlab root 账号 忘记密码如何重置

    shell>cd /home/git/gitlabshell> su gitshell>bundle exec rails console productionirb(main):0 ...