Help understanding cookies, domains, and paths

[NotionCommotion]

First of all, does anyone know of some good documentation to better understand cookies?  I've gone through the PHP manual, and can find how to use PHP to work with cookies, but not how cookies really work.

 

In particular, it is my understanding that if the domain is .mydomain.com, then mydomain.com, www.mydomain.com, or whatEver.mydomain.com, cookies could be set for each, and available for each, right?

 

If path was /, cookies will be sent for mydomain.com, mydomain.com/bla, and mydomain.com/bla/bla. If path was /bla, cookies will be not be sent for mydomain.com, but will be sent for mydomain.com and mydomain.com/bla/bla.

 

Also, what would be the impact if Apache rewrote bla.mydomain.com to mydomain.com/bla?

 

Please feel free to provide any other insight on this topic.

 

Thank you

[requinix]

An article about cookies

 

tl;dr:

- Cookie domain matches the tail end of the hostname

- Cookie path matches the beginning of the path

 

For rewriting, everything happens according to what the browser sees. It doesn't know (or care) about the fact that the URL is being rewritten somewhere else.

[QuickOldCar]

Cookies are domain restricted, could be a host or subdomain.

 

http://tools.ietf.org/html/rfc6265

 

*A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com
     would be rejected, because H is y.x and contains a dot.

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be
     rejected, because there is no embedded dot.

 

* A Set-Cookie with Domain=ajax.com will be rejected because the
     value for Domain does not begin with a dot.

 

Is a trick to add a cookie multiple domains.

On site1.com add this.

<img src="http://site2.com/set-cookie.php" style="display:none;" />
<img src="http://site3.com/set-cookie.php" style="display:none;" />

Is also other methods using js or ajax to send cookie data, but I'd be a little weary any sensitive data.

[NotionCommotion]

An article about cookies

 

tl;dr:

- Cookie domain matches the tail end of the hostname

- Cookie path matches the beginning of the path

 

For rewriting, everything happens according to what the browser sees. It doesn't know (or care) about the fact that the URL is being rewritten somewhere else.

Thanks requinix,

 

I haven't read the article yet, but first glance indicates it is better than others I have read.  Thank you

 

In hindsight, totally agree about your remark about what the browser sees, and don't know why I asked the question.  Thank you

 

Didn't recall the tl;dr; acronym, so promptly looked it up.

 

 tl;dr

Literally, "Too long; didn't read"

 

Said whenever a nerd makes a post that is too long to bother reading.

"omg you postwench. i can only say one thing in response - tl;dr"

"tl;dr...why dont you give up on your unabridged edition of War and Peace or at least stop posting it here?"

 

 

 

Okay, I obviously read the wrong definition!  Do you mind giving a couple of examples of cookie domains which match the tail end of the hostname, and cookie paths which match the beginning of the path.

 

Thanks!

[QuickOldCar]

Took me a bit to find this, I did this for a multi-wordpress site in where i had to set the video sizes the same across all subdomains in a plugin.

<script>
function setCookie(c_name,value,exdays,domain,path){
      var exdate=new Date();
      exdate.setDate(exdate.getDate() + exdays);
      var c_value=escape(value) +
        ((exdays==null) ? "" : ("; expires="+exdate.toUTCString()));
  cookie=c_name + "=" + c_value;
 
  if (domain){
    cookie += "domain=" + domain + ";";
}
if (path){
    cookie += "path=" + path + ";";
}
      document.cookie=cookie;
    }

setCookie("screen_width",winW,60,"/",".domain.com");
setCookie("screen_height",winH,60,"/",".domain.com");
</script>

Edited November 11, 2014 by QuickOldCar

[NotionCommotion]

Cookies are domain restricted, could be a host or subdomain.

 

http://tools.ietf.org/html/rfc6265

 

*A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com

     would be rejected, because H is y.x and contains a dot.

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would

     be accepted.

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be

     rejected, because there is no embedded dot.

 

* A Set-Cookie with Domain=ajax.com will be rejected because the

     value for Domain does not begin with a dot.

 

Is a trick to add a cookie multiple domains.

On site1.com add this.

<img src="http://site2.com/set-cookie.php" style="display:none;" />
<img src="http://site3.com/set-cookie.php" style="display:none;" />

Is also other methods using js or ajax to send cookie data, but I'd be a little weary any sensitive data.

 

Please elaborate on "Cookies are domain restricted, could be a host or subdomain."

 

Nice article!  I was expecting such good reading

 

Good examples.

 

Please elaborate on what "Is a trick to add a cookie multiple domains." is doing.

 

Thanks!

[QuickOldCar]

Please elaborate on "Cookies are domain restricted, could be a host or subdomain."

 

 

If you set a cookie for a subdomain.domain.com it only works for that.

If you set the cookie as .domain.com will work for all.

 

 

Please elaborate on what "Is a trick to add a cookie multiple domains." is doing.

 

 

Cookies can only be set from the same domain.

Placing it there as an image with no style could load that script in the background so can add additional domains.

[NotionCommotion]

Cookies can only be set from the same domain.

Placing it there as an image with no style could load that script in the background so can add additional domains.

 

Sneaky!  What would be the purpose of doing so?

[QuickOldCar]

One of your companion sites would be a good reason, so don't need additional registration and logins

[NotionCommotion]

Makes sense.  Thanks