Mobile app version of vmapp.org
Login or Join
RJPawlick198

: Setting cookies only on the naked domain As far as I know, one can set a cookie for example.com and not .example.com and then the cookie will only be visible on example.com and not sub.example.com.

@RJPawlick198

Posted in: #Cookie #Domains #Subdomain

As far as I know, one can set a cookie for example.com and not .example.com and then the cookie will only be visible on example.com and not sub.example.com. Is this true? I have set a cookie on a test domain I own, and it seems that cookies are not shared at static.mydomain.com

This page suggests otherwise:


Omitting www leaves you no choice but to write cookies to
*.example.org, so for performance reasons it's best to use the www subdomain and write the cookies to that subdomain.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @RJPawlick198

2 Comments

Sorted by latest first Latest Oldest Best

 

@Gloria169

In response to the Yahoo Developer page, they are talking about you serving content on your site from example.com, but explicitly setting the domain of the cookie - in which case you have to set the cookie as either .example.com or .www.example.com.

When you set a cookie, you have two options:


Do not specify the domain name - in which case the cookie will default to the "Request-Host" (without a dot at the beginning) - in your case example.com or example.com (note the embedded dot).
Specify a URL, in which case you fall under the rule "An explicitly specified domain must always start with a dot."


What the Yahoo page is stating is that if you've already issued cookies to .example.com then those cookies will also be sent to subdomain.example.com as well, so if you want to serve your static content on a "cookieless domain" you'd have to use a different URL.

10% popularity Vote Up Vote Down


 

@Eichhorn148

The cookie specification indicates that you are correct:


A is a FQDN string and has the form NB, where N is a non-empty name
string, B has the form .B', and B' is a FQDN string. (So, x.y.com
domain-matches .y.com but not y.com.)


Even if you do use example.com for your site, you still probably want to set some cookies to *.example.com so that they can also be read on a subdomain like blog.example.com.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme