When a cookie is set from a webserver, it can be for a specific domain or for a domain and all its subdomain. This article will cover few scenarios and how to set cookies for those scenarios. We’ll use php code to set cookies from server side but this article is applicable to other server side languages also. The findings have been tested on Firefox and Google Chrome.
Server and browser cookie domain scenarios
| What domain server sets (Set-Cookie: response header) | What Browser stores | Applicable to |
|---|---|---|
| No domain | infoheap.com | Applies to only domain |
| infoheap.com | .infoheap.com (notice dot here) | Applies to both domain and subdomains |
Cookie applicable for both Domain and Subdomain
To set a generic cookie applicable to both domain and subdomains from php use the following code. Note that specifying dot in the domain name is not relevant from server perspective.
setcookie("name1", "value1", $expire, "/", "infoheap.com");
Here is how the http header received by Firefox browser looks like:
Set-Cookie: name1=value1; expires=Fri, 21-Jun-2013 17:51:35 GMT; path=/; domain=infoheap.com
You can view a cookie in Google Chrome or Firefox browsers. In Firefox right click on a page served by your domain, then click on “View Page Info”, then click on Security and then View Cookies. Here cookie will have a dot prefix (.infoheap.com).
Cookie applicable to domain but not its subdomains
If you donot specify the domain in php setcookie, then it sets the regular cookie which is tied to current domain (and not any subdomain). Here is how the php code looks like:
setcookie("name1", "value1", $expire);
Here is how the http header received by Firefox browser looks like:
Set-Cookie: name1=value1; expires=Fri, 21-Jun-2013 17:51:35 GMT; path=/
When should you use cookies which can be used by subdomains
Usually cookies which stores login information should be attached to top level domain (tld) and are good candidates for generic domain and subdomain cookies. That way all your subdomains can make use of such cookies and hence you can implement single login for all your sites. In case any of your subdomain is not hosted or controlled by you or your trusted partner, then you should avoid domain and subdomain cookies.
Which domain can set a cookie
A lower level sub domain can set cookie for higher domain. e.g. code served from subdomain.infoheap.com can set cookies for these domains:
- No domain
- subdomain.infoheap.com
- infoheap.com
On the other hand code served from infoheap.com can’t set cookie for subdomain.infoheap.com
Performance considerations
It is a good idea to avoid generic domain and subdomain cookies unless these are needed by design. Once you set such cookies, they are sent from browser to web server for all subdomain urls which bloats the size of data on wire.
Final notes
If you are a one domain site with no subdomain, the you don’t have to worry too much about what type of cookie you should set. Otherwise its better to review your design and code and minimize use of generic domain and subdomain cookies.
