Home/ Questions/Q 874827
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T11:10:03+00:00

I simply cannot believe this is quite so hard to determine. Even having read

  • 0

I simply cannot believe this is quite so hard to determine.

Even having read the RFCs, it’s not clear to me if a server at subdomain.example.com can set a cookie that can be read by example.com.

subdomain.example.com can set a cookie whose Domain attribute is .example.com. RFC 2965 seems to explicitly state that such a cookie will not be sent to example.com, but then equally says that if you set Domain=example.com, a dot is prepended, as if you said .example.com. Taken together, this seems to say that if example.com returns sets a cookie with Domain=example.com, it doesn’t get that cookie back! That can’t be right.

Can anyone clarify what the rules really are?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes.

    If you make sure to specify that the domain is .example.com, then *.example.com and example.com can access it.

    It’s that principle that allows websites that issue cookies when somebody goes to http://www.website.com to access cookies when someone leaves off the www, going to website.com.

    EDIT: From the PHP documentation about cookies:

    domain The domain that the cookie is
    available. To make the cookie
    available on all subdomains of
    example.com then you’d set it to
    ‘.example.com’. The . is not required
    but makes it compatible with more
    browsers. Setting it to
    http://www.example.com will make the cookie
    only available in the www subdomain.
    Refer to tail matching in the » spec
    for details.
    http://php.net/manual/en/function.setcookie.php

    And it’s not unique to PHP.

    • 0