What does the dot prefix in the cookie domain mean?

cookies

Solution 1:

The leading dot means that the cookie is valid for subdomains as well; nevertheless recent HTTP specifications (RFC 6265) changed this rule so modern browsers should not care about the leading dot. The dot may be needed by old browser implementing the deprecated RFC 2109.

RFC 6265 section 4.1.2.3

For example, if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

Solution 2:

local.test.com will be used for the domain, while .local.test.com will be used for subdomains too.

Solution 3:

From the article The definitive guide to cookie domains and why a www-prefix makes your website safer:

Conclusion

Although the definitions are somewhat different, we can simplify it for any of these implementations as:

  • When no domain is set in the cookie, the cookie should only match the exact host name of the request. [NOTE: this is different from returning a Set-Cookie with a domain without a dot!] No sub domains, no partial matches. This means simply not including the domain attribute – it is not valid to set an empty domain attribute. Unfortunately, Internet Explorer appears to treat this as the host name along with any subdomains.

  • When setting a domain in the cookie, the safe choice is to have it preceded by a dot, like .erik.io. The cookie will match with all sub domains.

  • Setting a cookie domain without a preceding dot, like erik.io, is invalid in RFC 2109 implementations, and will produce the same behaviour as with a preceding dot on other implementations. There is no way to restrict a cookie to a specific explicitly set domain, without sub domains being included.

Other worthwhile observations:

  • In all RFCs, a specified cookie domain must match the current host name, per normal matching. Setting a cookie for www.erik.io in a response from erik.io is not valid, as a cookie with domain www.erik.io does not match erik.io, the former being more specific.

  • In RFC 6265, domains are explicitly lower cased when parsing the Set-Cookie header.

Solution 4:

The leading dot in ".local.test.com" is just how chrome views cookies with a "Domain=local.test.com" set (or a "Domain=.local.test.com", which is the same).

Set-Cookie definitions without "Domain=something" views the domain (=host) without a leading dot.

So the leading dot in chrome don't reflect whether or not a leading dot was used from the server, but whether or not that cookie had a "Domain=something" in its definition from the server. (And if it had, the cookie will also be sent to sub-domains).

At least this is what my tests show. Chrome should make this easier to read, for instance view the exact string that defined the cookie and when it was received.

Related

How do I configure a Python interpreter in IntelliJ IDEA with the PyCharm plugin?
Why doesn't Haskell's Prelude.read return a Maybe?
Downcasting shared_ptr<Base> to shared_ptr<Derived>?
Errors: "INSERT EXEC statement cannot be nested." and "Cannot use the ROLLBACK statement within an INSERT-EXEC statement." How to solve this?
Best TCP port number range for internal applications [closed]
How can I solve the error LNK2019: unresolved external symbol - function?
Adding hours, minutes, seconds to current time
Is module __file__ attribute absolute or relative?
What kind of Garbage Collection does Go use?
Why can I type alias functions and use them without casting?
How to do date/time comparison
Can you help me understand Moq Callback?