I am trying to set the cookie for the specific domain(as I have multiple websites and I don't want to share them) so for this, I changed the configuration as OOTB Magento provides this feature (Stores > Configuration > General > Web Default Cookie Settings > Cookie Domain
) and I added my domain and set the Cookie Path /
and saved the configuration, clear cache, cookies . On the frontend side, I can see all cookie set to the to my domain expect form_key
which is adding extra .(dot)
So is this correct way or am I missing something to set the cookie for the specific domain? and another question is
Why Magento adding . (dot) to only form_key
cookie?
Best Answer
Before worrying about why it happens, you may want to consider whether it's actually a problem for you. It seems to be that having a leading dot shouldn't be affecting cookie behaviour in the browser.
The leading dot means that the cookie is valid for subdomains as well. RFC 6265 Section 4.1.2.3 defines this as so modern browsers should ignore leading dots if you're on the base domain.
EDIT:
I've done a little bit of testing and it looks as though Magento wasn't actually sending the cookie domain with a leading dot as the
Set-Cookie
header by default, so this points the issue towards being browser behavious and how it handles theSet-Cookie
headers.Chrome dev tools network inspector:
Chrome dev tools cookie list:
I suspect that the cookies you seen without the leading dot are from cookies assigned by JS functions, rather than a
Set-Cookie
header.EDIT 2:
As you mentioned in the comments below, the
JS functionPHP function for the cookie JS here does look like it adds the leading dot to the domain when the form_key is instantiated here, though any further communications with that form_key have the leading dot stripped in the headers too.This could be a core bug, or it could be a configuration issue (I'm more inclined to think the former of the two)