If you set a cookie with an explicit domain, such as: foo=bar; domain=www.example.com; path=/baz; secure the cookie shows up in Mozilla's cookie manager with a dot prepended to the domain ('.www.example.com'). If you set a cookie without any explicit domain, such as: foo=xyzzy; path=/baz; secure the cookie shows up in the cookie manager without the dot. If you ever set the cookie with an implicit domain, any subsequent versions of the cookie set with an explicit domain will be accepted by Mozilla, but never returned, since the version set with an implicit domain now has a more specific domain ('www.example.com' instead of '.www.example.com'). At least, until the first cookie is expired, of course. A website probably shouldn't mix explicit/implicit domains on a cookie, but this new Mozilla behavior (was not present in 0.9.9) doesn't seem right either.
This was tested with Mozilla build 2002052904 (Win32); that build still exhibits this behavior.
> If you set a cookie with an explicit domain, such as: > foo=bar; domain=www.example.com; path=/baz; secure That's invalid. See the cookie spec (RFC2109). A domain must start with a dot. Therefore the browser would have been within it rights to reject such a cookie since it was invalid. Instead we are being kind and fixing it up so that sites with error in them can still function properly. You are mixing up host cookies with domain cookies. Domain cookies specify a particular domain (starting with a dot), and are sent back to all hosts in that domain. Host cookies (those that don't have a domain= attribute) are sent back only to the host that set them. If you look at the display in the cookie manager, you will see that the first type of cookie has a the field labelled "domain" and the other has the field labelled "host". And the host cookies indeed don't show a dot when displayed in the cookie-manager because hosts don't start with a dot. > If you ever set the cookie with an implicit domain, any subsequent > versions of the cookie set with an explicit domain will be accepted > by Mozilla, but never returned You mean a host cookie and a domain cookie set with the same name. I don't believe what you are saying is correct -- in such a case both cookies will be returned to the site (if that's not happening, then open a bug on that particular behavior). If a site did set two such cookies with the same name, they would be asking for trouble because they would have no way of distinguishing between the two when they receive two cookies with identical names but different values. This would definitely be a site problem that they created for themself.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
See also bug 147638 which was marked invalid for the same reason.
Ah, you are correct. Apologies; I should have double-checked the RFC before submitting a bug.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.