Jump to content

Help understanding cookies, domains, and paths


NotionCommotion

Recommended Posts

First of all, does anyone know of some good documentation to better understand cookies?  I've gone through the PHP manual, and can find how to use PHP to work with cookies, but not how cookies really work.

 

In particular, it is my understanding that if the domain is .mydomain.com, then mydomain.com, www.mydomain.com, or whatEver.mydomain.com, cookies could be set for each, and available for each, right?

 

If path was /, cookies will be sent for mydomain.com, mydomain.com/bla, and mydomain.com/bla/bla. If path was /bla, cookies will be not be sent for mydomain.com, but will be sent for mydomain.com and mydomain.com/bla/bla.

 

Also, what would be the impact if Apache rewrote bla.mydomain.com to mydomain.com/bla?

 

Please feel free to provide any other insight on this topic.

 

Thank you

Link to comment
Share on other sites

Cookies are domain restricted, could be a host or subdomain.

 

http://tools.ietf.org/html/rfc6265

 

*A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

 

* A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.

 

Is a trick to add a cookie multiple domains.

On site1.com add this.

<img src="http://site2.com/set-cookie.php" style="display:none;" />
<img src="http://site3.com/set-cookie.php" style="display:none;" />

Is also other methods using js or ajax to send cookie data, but I'd be a little weary any sensitive data.

Link to comment
Share on other sites

An article about cookies

 

tl;dr:

- Cookie domain matches the tail end of the hostname

- Cookie path matches the beginning of the path

 

For rewriting, everything happens according to what the browser sees. It doesn't know (or care) about the fact that the URL is being rewritten somewhere else.

Thanks requinix,

 

I haven't read the article yet, but first glance indicates it is better than others I have read.  Thank you

 

In hindsight, totally agree about your remark about what the browser sees, and don't know why I asked the question.  Thank you

 

Didn't recall the tl;dr; acronym, so promptly looked it up.

 

 tl;dr

Literally, "Too long; didn't read"

 

Said whenever a nerd makes a post that is too long to bother reading.

"omg you postwench. i can only say one thing in response - tl;dr"

"tl;dr...why dont you give up on your unabridged edition of War and Peace or at least stop posting it here?"

 

 

 

Okay, I obviously read the wrong definition!  Do you mind giving a couple of examples of cookie domains which match the tail end of the hostname, and cookie paths which match the beginning of the path.

 

Thanks!

Link to comment
Share on other sites

Took me a bit to find this, I did this for a multi-wordpress site in where i had to set the video sizes the same across all subdomains in a plugin.

<script>
function setCookie(c_name,value,exdays,domain,path){
      var exdate=new Date();
      exdate.setDate(exdate.getDate() + exdays);
      var c_value=escape(value) +
        ((exdays==null) ? "" : ("; expires="+exdate.toUTCString()));
  cookie=c_name + "=" + c_value;
 
  if (domain){
    cookie += "domain=" + domain + ";";
}
if (path){
    cookie += "path=" + path + ";";
}
      document.cookie=cookie;
    }

setCookie("screen_width",winW,60,"/",".domain.com");
setCookie("screen_height",winH,60,"/",".domain.com");
</script>
Edited by QuickOldCar
Link to comment
Share on other sites

Cookies are domain restricted, could be a host or subdomain.

 

http://tools.ietf.org/html/rfc6265

 

*A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com

     would be rejected, because H is y.x and contains a dot.

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would

     be accepted.

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be

     rejected, because there is no embedded dot.

 

* A Set-Cookie with Domain=ajax.com will be rejected because the

     value for Domain does not begin with a dot.

 

Is a trick to add a cookie multiple domains.

On site1.com add this.

<img src="http://site2.com/set-cookie.php" style="display:none;" />
<img src="http://site3.com/set-cookie.php" style="display:none;" />

Is also other methods using js or ajax to send cookie data, but I'd be a little weary any sensitive data.

 

Please elaborate on "Cookies are domain restricted, could be a host or subdomain."

 

Nice article!  I was expecting such good reading :)

 

Good examples.

 

Please elaborate on what "Is a trick to add a cookie multiple domains." is doing.

 

Thanks!

Link to comment
Share on other sites

Please elaborate on "Cookies are domain restricted, could be a host or subdomain."

 

 

If you set a cookie for a subdomain.domain.com it only works for that.

If you set the cookie as .domain.com will work for all.

 

 

Please elaborate on what "Is a trick to add a cookie multiple domains." is doing.

 

 

Cookies can only be set from the same domain.

Placing it there as an image with no style could load that script in the background so can add additional domains.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.