http - Can subdomain.example.com set a cookie that can be read by example.com? - Server Fault

Tags: http, request, server, cookie, subdomain

"(...) Quoting from the same RFC2109 you read: * A Set-Cookie from request-host x.foo.com for Domain=.foo.com would be accepted. So subdomain.example.com can set a cookie for .example.com. So far so good. The following rules apply to choosing applicable cookie-values from among all the cookies the user agent has. Domain Selection The origin server's fully-qualified host name must domain-match the Domain attribute of the cookie So do we have a domain-match? * A is a FQDN string and has the form NB, where N is a non-empty name string, B has the form .B', and B' is a FQDN string. (So, x.y.com domain-matches .y.com but not y.com.) But now example.com wouldn't domain-match .example.com according to the definition. But www.example.com (or any other "non-empty name" in the domain) would. This RFC is in theory obsoleted by RFC2965, which dictated things about forcing a leading dot for domains on Set-Cookie2 operations. (...)"