Revision as of 00:46, 21 March 2021 view source Pleasancoder (talk \| contribs) 76 edits m →{{anchor\|SameSite cookie}}Same-site cookie ← Previous edit		Revision as of 16:18, 24 March 2021 view source EN-Jungwon (talk \| contribs) Extended confirmed users, Mass message senders, Pending changes reviewers, Rollbackers 58,439 edits →Domain and path: edit requested at Talk:HTTP cookie#Semi-protected edit request on 24 March 2021 Tag: 2017 wikitext editor Next edit →
Line 169: ====Domain and path==== The <code>Domain</code> and <code>Path</code> attributes define the scope of the cookie. They essentially tell the browser what website the cookie belongs to. For ~~obvious~~ security reasons, cookies can only be set on the current resource's top ___domain and its sub domains, and not for another ___domain and its sub domains. For example, the website <code>example.org</code> cannot set a cookie that has a ___domain of <code>foo.com</code> because this would allow the <code>example.org</code> website to control the cookies of <code>foo.com</code>. If a cookie's <code>Domain</code> and <code>Path</code> attributes are not specified by the server, they default to the ___domain and path of the resource that was requested.<ref>{{cite web \|url=http://tools.ietf.org/html/rfc6265#section-4.1.2.4 \|work=IETF \|title=HTTP State Management Mechanism, The Path Attribute \|date=March 2014 \|access-date=2011-05-12 \|archive-url=https://web.archive.org/web/20110501105323/http://tools.ietf.org/html/rfc6265#section-4.1.2.4 \|archive-date=2011-05-01 \|url-status=live }}</ref> However, in most browsers there is a difference between a cookie set from <code>foo.com</code> without a ___domain, and a cookie set with the <code>foo.com</code> ___domain. In the former case, the cookie will only be sent for requests to <code>foo.com</code>, also known as a host-only cookie. In the latter case, all sub domains are also included (for example, <code>docs.foo.com</code>).<ref>{{cite web \|url=http://tools.ietf.org/html/rfc6265#section-5.1.3 \|work=IETF \|title=RFC 6265, HTTP State Management Mechanism, Domain matching \|date=March 2014 \|access-date=2011-05-12 \|archive-url=https://web.archive.org/web/20110501105323/http://tools.ietf.org/html/rfc6265#section-5.1.3 \|archive-date=2011-05-01 \|url-status=live }}</ref><ref>{{cite web \|url=http://tools.ietf.org/html/rfc6265#section-4.1.2.3 \|work=IETF \|title=RFC 6265, HTTP State Management Mechanism, The Domain Attribute \|date=March 2014 \|access-date=2011-05-12 \|archive-url=https://web.archive.org/web/20110501105323/http://tools.ietf.org/html/rfc6265#section-4.1.2.3 \|archive-date=2011-05-01 \|url-status=live }}</ref> A notable exception to this general rule is Edge prior to Windows 10 RS3 and Internet Explorer prior to IE 11 and Windows 10 RS4 (April 2018), which always sends cookies to sub domains regardless of whether the cookie was set with or without a ___domain.<ref>{{cite web \|url=https://blogs.msdn.microsoft.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx \|title=Internet Explorer Cookie Internals (FAQ) \| date=21 November 2018 }}</ref>

HTTP cookie: Difference between revisions