30

I have googled this a lot now and have found conflicting answers. So my question is: how does a browser handle an HTTP cookie that has no domain and no path attributes?

For example this response from server:

200 OK https://example.com/a/b (6047ms) 
Set-Cookie: x-my-cookie=1.0; Max-Age=86400000; Expires=Sun, 05-Jan-2020    08:30:25 GMT

Should the cookie be included when making requests to https://m.example.com/a/b?

What about https://example.com/zzzz?

And https://example.com/a?

And https://example.com/a/b/c?

And https://example.com?

Improve this question
1
  • Be careful with the accepted answer - it's incorrect in regards to one scenario, which I've detailed in a new answer. (Other than that I believe it's all good.)
    – Todd Menier
    Commented Oct 24, 2020 at 16:16

2 Answers 2

Reset to default
35

For Set-Cookie without domain attribute, the cookie's domain value is "the origin server". According to RFC6265:

Unless the cookie's attributes indicate otherwise, the cookie is returned only to the origin server (and not, for example, to any subdomains)...If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

With the following exception:

WARNING: Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well.

Maybe that's why you found conflicting answers.

For Set-Cookie without path attribute, RFC6265 states that:

If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.

For your example, the answer would be:

Should the cookie be included when making requests to https://m.example.com/a/b?

No. Because m.example.com is not the origin server (example.com).

What about https://example.com/zzzz?

No. Because /zzz is not under "directory" /a/b.

And https://example.com/a?

No. Because /a is not under "directory" /a/b.

And https://example.com/a/b/c?

Yes. Because /a/b/c IS under "directory" /a/b.

And https://example.com?

No. Because / is not under "directory" /a/b.

Improve this answer
3
  • And what about http requests? Does the cookie get included when making a request to http://example.com/a/b/?
    – DerDerrr
    Commented Nov 18, 2019 at 12:53
  • 1
    @DerDerrr That depends on whether Secure directive is set with the cookie. If Secure is set, the cookie won't be included in insecure HTTP request. Please refer to "Secure and HttpOnly cookies" on developer.mozilla.org/en-US/docs/Web/HTTP/Cookies for more information.
    – shaochuancs
    Commented Nov 19, 2019 at 1:50
  • 4
    @shaochuancs re the 3rd case: "No. Because /a is not under "directory" /a/b." I believe that is incorrect. Section 5.1.4, step 4 of the default-path algorithm states: "Output the characters of the uri-path from the first character up to, but not including, the right-most %x2F ("/")." In this case, there's no trailing "/" in the path, the right-most "/" is before the b, so isn't the default path /a and hence this would be a "yes"?
    – Todd Menier
    Commented Jul 27, 2020 at 17:59
7

The accepted answer is incorrect in regards to one scenario:

And https://example.com/a?

No. Because /a is not under "directory" /a/b.

If you only care about Internet Explorer, that's true. If you care about the standard and browsers that comply with it, it isn't.

RFC 6265 provides the following algorithm for computing the default cookie path to use when a Path attribute is not present:

The user agent MUST use an algorithm equivalent to the following algorithm to compute the default-path of a cookie:

  1. Let uri-path be the path portion of the request-uri if such a portion exists (and empty otherwise). For example, if the request-uri contains just a path (and optional query string), then the uri-path is that path (without the %x3F ("?") character or query string), and if the request-uri contains a full absoluteURI, the uri-path is the path component of that URI.

  2. If the uri-path is empty or if the first character of the uri- path is not a %x2F ("/") character, output %x2F ("/") and skip the remaining steps.

  3. If the uri-path contains no more than one %x2F ("/") character, output %x2F ("/") and skip the remaining step.

  4. Output the characters of the uri-path from the first character up to, but not including, the right-most %x2F ("/").

I've highlighted #4 becuase that's the part that matters. For a cookie set at uri-path /a/b, the "right-most" / is the one before the b. The algorithm says to stop there, hence the default cookie path is /a and therefore the cookie should get sent to https://example.com/a.

But as most web developers know, "should" is one thing and "does" is something else. So I wrote a small web app to test this exact scenario: Will a cookie without an explicit Path attribute that is set at /a/b be sent in requests to /a? Here's my findings (latest browser versions, Windows 10):

Chrome - yes

Firefox - yes

Edge - yes

Internet Explorer - no

Improve this answer
2
  • 1
    I'm seeing this exact behaviour on Firefox. I set a cookie in a /auth/facebook/callback response, and in inspector the cookie path was /auth/facebook. My conclusion is that one should always set the cookie path to /.
    – Janko
    Commented Nov 27, 2020 at 20:37
  • @Todd Don't you think the RFC guys should update point 4 ? It seems they still expect to be of type directory1/directory2/resource. Thats the only reason in my opinion why they want to skip the last part which they expect will be resource. Unfortunately, this is not the case now days.
    – Number945
    Commented Dec 13, 2020 at 15:54

Not the answer you're looking for? Browse other questions tagged or ask your own question.