Explicitly set cookie domains have dot prepended

VERIFIED INVALID

Status

()

Core
Networking: Cookies
VERIFIED INVALID
16 years ago
16 years ago

People

(Reporter: Matthew Ryan, Assigned: Stephen P. Morse)

Tracking

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 years ago
If you set a cookie with an explicit domain, such as:
  foo=bar; domain=www.example.com; path=/baz; secure
the cookie shows up in Mozilla's cookie manager with a dot prepended
to the domain ('.www.example.com').

If you set a cookie without any explicit domain, such as:
  foo=xyzzy; path=/baz; secure
the cookie shows up in the cookie manager without the dot.

  If you ever set the cookie with an implicit domain, any subsequent
versions of the cookie set with an explicit domain will be accepted
by Mozilla, but never returned, since the version set with an implicit
domain now has a more specific domain ('www.example.com' instead of
'.www.example.com').  At least, until the first cookie is expired,
of course.

  A website probably shouldn't mix explicit/implicit domains on a
cookie, but this new Mozilla behavior (was not present in 0.9.9)
doesn't seem right either.
(Reporter)

Comment 1

16 years ago
This was tested with Mozilla build 2002052904 (Win32);
that build still exhibits this behavior.
(Assignee)

Comment 2

16 years ago
> If you set a cookie with an explicit domain, such as:
>  foo=bar; domain=www.example.com; path=/baz; secure

That's invalid.  See the cookie spec (RFC2109).  A domain must start with a dot.

Therefore the browser would have been within it rights to reject such a cookie 
since it was invalid.  Instead we are being kind and fixing it up so that sites 
with error in them can still function properly.

You are mixing up host cookies with domain cookies.  Domain cookies specify a 
particular domain (starting with a dot), and are sent back to all hosts in that 
domain.  Host cookies (those that don't have a domain= attribute) are sent back 
only to the host that set them.  If you look at the display in the cookie 
manager, you will see that the first type of cookie has a the field labelled 
"domain" and the other has the field labelled "host".  And the host cookies 
indeed don't show a dot when displayed in the cookie-manager because hosts don't 
start with a dot.

> If you ever set the cookie with an implicit domain, any subsequent
> versions of the cookie set with an explicit domain will be accepted
> by Mozilla, but never returned

You mean a host cookie and a domain cookie set with the same name.  I don't 
believe what you are saying is correct -- in such a case both cookies will be 
returned to the site (if that's not happening, then open a bug on that 
particular behavior).  If a site did set two such cookies with the same 
name, they would be asking for trouble because they would have no way of 
distinguishing between the two when they receive two cookies with identical 
names but different values.  This would definitely be a site problem that they 
created for themself.

  
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → INVALID
(Assignee)

Comment 3

16 years ago
See also bug 147638 which was marked invalid for the same reason.
(Reporter)

Comment 4

16 years ago
Ah, you are correct.  Apologies; I should have double-checked the
RFC before submitting a bug.

Comment 5

16 years ago
verified invalid
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.