Why does Chrome and Safari not see cookies for some sub

 

I have a site that's generating a cookie for example.com. It is accessible in Firefox, Chrome 18 and Safari at both http://example.com and http://www.example.com. However, I cannot access the cookie from http://test.me.example.com in webkit derived browsers. It works in Firefox.

I've tested this with domain= one of example.com and .example.com when setting the cookie from javascript.

The cookie has a path of / and has expires set.

How do you specify the subdomain? Chrome expects cookies for subdomains to be prefixed with a dot eg domain=.example.com

You may find this post useful: https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com

Quoting from the same RFC2109 you read: 

   * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would
     be accepted.

So subdomain.example.com can set a cookie for .example.com. So far so good. 

   The following rules apply to choosing applicable cookie-values from
   among all the cookies the user agent has.

   Domain Selection
        The origin server's fully-qualified host name must domain-match
        the Domain attribute of the cookie

So do we have a domain-match?

  • A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, xycom domain-matches .y.com but not y.com.) But now example.com wouldn't domain-match .example.com according to the definition. But www.example.com (or any other "non-empty name" in the domain) > > would. This RFC is in theory obsoleted by RFC2965, which dictated things about forcing a leading dot for domains on Set-Cookie2 operations.

    • More important, as noted by @Tony, is the real world. For a glimpse into what actual user agents are doing, see

    Firefox 3's nsCookieService.cpp and

    Chrome's cookie_monster.cc For perspective into what actual sites are doing, try playing with wget using > --save-cookies, --load-cookies, and --debug to see what's going on.

    You'll likely find that in fact most sites are using some combination of Set-> > Cookie from the older RFC spec with "Host" values, implicitly without a leading dot (as twitter.com does) or setting Domain values (with a leading dot) and redirecting to a server like www.example.com (as google.com does).

    链接地址: http://www.djcxy.com/p/44892.html

    上一篇: HTTPWebRequest Cookie的行为不同

    下一篇: 为什么Chrome和Safari浏览器没有看到某些分支的Cookie