Can subdomain.example.com set a cookie that can be read by example.com?

Evan Plaice asked:

I simply cannot believe this is quite so hard to determine.

Even having read the RFCs, it’s not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn’t get that cookie back! That can’t be right.

Can anyone clarify what the rules really are?

My answer:


If the browser implements RFC 6265, which any modern browser should be doing at this point, then a cookie set for .example.com will have the leading dot ignored (section 5.2.3), and the cookie will then be sent to the naked domain and to all subdomains.

Don’t rely on this behavior if you have significant traffic from older browsers; this RFC only dates to 2011.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.