Can subdomain.example.com set a cookie that can be read by example.com

cookieshttpsubdomain

I simply cannot believe this is quite so hard to determine.

Even having read the RFCs, it's not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn't get that cookie back! That can't be right.

Can anyone clarify what the rules really are?

Best Answer

Quoting from the same RFC2109 you read:

       * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
         be accepted.

So subdomain.example.com can set a cookie for .example.com. So far so good.

       The following rules apply to choosing applicable cookie-values from
       among all the cookies the user agent has.

       Domain Selection
            The origin server's fully-qualified host name must domain-match
            the Domain attribute of the cookie

So do we have a domain-match?

   * A is a FQDN string and has the form NB, where N is a non-empty name
     string, B has the form .B', and B' is a FQDN string.  (So, x.y.com
     domain-matches .y.com but not y.com.)

But now example.com wouldn't domain-match .example.com according to the definition. But www.example.com (or any other "non-empty name" in the domain) would. This RFC is in theory obsoleted by RFC2965, which dictated things about forcing a leading dot for domains on Set-Cookie2 operations.

More important, as noted by @Tony, is the real world. For a glimpse into what actual user agents are doing, see

Firefox 3's nsCookieService.cpp

and

Chrome's cookie_monster.cc

For perspective into what actual sites are doing, try playing with wget using --save-cookies, --load-cookies, and --debug to see what's going on.

You'll likely find that in fact most sites are using some combination of Set-Cookie from the older RFC spec with "Host" values, implicitly without a leading dot (as twitter.com does) or setting Domain values (with a leading dot) and redirecting to a server like www.example.com (as google.com does).

Related Topic