httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: [users@httpd] Setting cookies from proxied backend
Date Fri, 18 Jul 2008 12:32:41 GMT
Thank you for clarifying.
- I forgot to mention the Set-Cookie domain must match the suffix of
the originating host.
- Neither of us mentioned that IP Addresses are exempt from partial
domain matching.  IP Addresses are allowed as the Cookie domain for
exact matches.
- We had difficulty receiving Cookies for set by at
the level during the last decade (1998?).  Hopefully all modern
browsers work as specified in the RFC.  I should have marked this
information as suggestive for testing rather than definitive.

"The server "" can set a cookie for ""."
This should be inaccurate because "" is not a suffix of
the originating server.  Server "" may be able to set
Cookies for itself -- the RFC suggests the server name is used if no
Domain parameter is specified in Set-Coookie:
   "Domain Defaults to the request-host.  (Note that there is no dot
at the beginning of request-host.)"
The two-dots rule only applies to Domain parameters. I have not tested.


On 7/18/08, André Warnier <> wrote:
>  First, I found a thread which might provide some useful information for the
> original poster :
>  Second,
> wrote:
> > On 7/17/08, jamanbo jamanbo <> wrote:
>  Rescpectfully, I believe there are several inaccuracies in the explanation
> given by solprovider, and this might induce the OP in error.
>  The notes below represent my own understanding of the matter, based on
>  and
>  Please correct me if I am wrong.
> > Cookies are set for the parent domain part of the server name.  The
> > Cookie for "" is set at"".
>  The server "" can technically (try to) set a cookie for
> whatever domain it chooses, via a "Set-Cookie" header.  By default (when not
> specified), the cookie domain is understood as being the domain that exactly
> matches the server's FQDN (fully-qualified domain name, like
> "").
>  Now whether the browser accepts it is another story.
>  A browser respectful of the specification would only accept a cookie from a
> server, if the server's own domain "belongs to" (is a sub-domain of) the
> cookie domain.
>  For example, from a server known as "", a browser will
> accept a cookie for the domain "" or "" or
> "" or "" (but not for ".com" because that domain
> does not contain at least two dots).
>  (The reason for that is that it is considered unsafe that a server
> "" should be able to set a cookie for the server
> "" for instance).
> > Cookies cannot be set at the TLD level.
> >
>  True in a way, see above, but only because the browser should not accept a
> cookie for a domain that does not contain at least 2 dots.
>  Default domain no-name servers
> > ("") cannot use Cookies because the Cookie would be set at
> > the ".com" TLD.
> >
>  The server "" can set a cookie for "".
>  Browsers will save the Cookie
> > at the next level ("") and send the Cookie with every
> > request to *  A server name at the same level must be
> > specified.  Requests to "" and
> > "" will not include the Cookie.
> >
>  The browser will save the cookie with the domain exactly as specified in
> the cookie, it this is valid (iow the domain of the cookie contains at least
> 2 dots, and the server issuing the cookie is a member of that domain).
>  A cookie set for "" will be sent by the browser with any
> request to "", or "", or ""
> or "".
>  A cookie set for "" will be sent with every request to a
> server "" or "" or "", but
> not for "" not for "" e.g.
>  André
View raw message