Introduction to Cookie Sharing
Cookies are small pieces of data stored by web browsers that allow websites to remember user preferences, login information, and other important details. However, when it comes to subdomains and domains, cookie sharing can become a bit complex. In this tutorial, we will explore how cookies can be shared between subdomains and domains.
Understanding Cookie Attributes
To share cookies between subdomains and domains, you need to understand the domain attribute in the Set-Cookie header. The domain attribute specifies the domain for which the cookie is valid. If the domain attribute is not set, the cookie will only be sent to the exact same domain that set it.
For example, if a cookie is set with the following header:
Set-Cookie: name=value
The cookie will only be sent to the exact same domain that set it. However, if the domain attribute is set, the cookie can be shared between subdomains and domains. For instance:
Set-Cookie: name=value; domain=example.com
This cookie will be sent to example.com and any subdomain of example.com, including nested subdomains like subsub.subdomain.example.com.
Domain Matching
To determine whether a cookie is valid for a particular domain, the browser uses a process called domain matching. Domain matching checks if the domain string is identical to or a suffix of the request URL’s domain.
For example, subdomain.example.com domain-matches example.com, but example.com does not domain-match subdomain.example.com. This means that a cookie set on subdomain.example.com with the domain attribute set to example.com will be sent to example.com, but a cookie set on example.com with the domain attribute set to subdomain.example.com will not be sent to subdomain.example.com.
Setting Cookies from Subdomains
According to the specifications, a subdomain can set a cookie on a domain. For instance:
Set-Cookie: name=value; Domain=example.com // GOOD
However, a domain cannot set a cookie on a subdomain. If you try to set a cookie with the following header:
Set-Cookie: name=value; Domain=subdomain.example.com // Browser rejects cookie
The browser will reject the cookie.
Protecting Cookies from Being Read by Subdomains/Domains
While cookies can be protected from being read by subdomains or domains using the Secure and HttpOnly attributes, it’s not possible to prevent a subdomain from writing cookies to the parent domain. This means that someone controlling another subdomain visited by the same browser might rewrite your site’s cookies.
Example Code
Here is an example of how you can set cookies using JavaScript:
document.cookie = "key=value"; // Sets a cookie on the current domain
document.cookie = "key=value; domain=.example.com"; // Sets a cookie on the current domain and all subdomains
Conclusion
Sharing cookies between subdomains and domains requires understanding the domain attribute in the Set-Cookie header and how domain matching works. By setting the domain attribute correctly, you can share cookies between subdomains and domains. However, keep in mind that a subdomain can set a cookie on a domain, but a domain cannot set a cookie on a subdomain. Additionally, while cookies can be protected from being read by subdomains or domains, it’s not possible to prevent a subdomain from writing cookies to the parent domain.