http - Can subdomain.example.com set a cookie that can be read by example.com? - Server Fault

Tags: http, request, server, cookie, subdomain

"(...) Quoting from the same RFC2109 you read: * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted. So subdomain.example.com can set a cookie for .example.com. So far so good. The following rules apply to choosing applicable cookie-values from among all the cookies the user agent has. Domain Selection The origin server's fully-qualified host name must domain-match the Domain attribute of the cookie So do we have a domain-match? * A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.) (...)"