Cookies with and without explicit "domain" stored differently, fight for contention




Networking: Cookies
15 years ago
14 years ago


(Reporter: Jeff Veasey, Assigned: Darin Fisher)


Windows 2000

Firefox Tracking Flags

(Not tracked)





15 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET CLR 1.0.3705)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

A cookie with the Set-Cookie header option "domain" for domain "a.b.c" is 
stored with ".a.b.c" as the domain.  A cookie without the "domain" setting for 
host "a.b.c" is stored with "a.b.c" as the host.

When the a.b.c site is visited, the cookie sent is not consistent; sometimes, 
it is the last cookie set, sometimes, it is the first cookie set.  There does 
not appear to be any specific logic dealing with this situation.  When a web 
site begins or ends sending the "domain" header with its cookies, old cookies 
can get "stuck" in the browser with no alternative for the user but to manually 
delete them.

Reproducible: Always

Steps to Reproduce:
Example cookie-setting page can be seen at
1. Send a cookie with "domain" header matching the site address
2. Send an identically keyed cookie without the "domain" header

Actual Results:  
The cookie that is actually sent to the server by the browser is random.  I 
have seen it send the first cookie, and the last cookie.  Upon reflection, the 
browser was always sending the last cookie set until I expired one of the 
cookies; at that point, the cookie sent became unpredictable.

Expected Results:  
Two "identical" cookies for the same site can be stored, and there is no 
pattern for which one will be sent.  Internet Explorer makes no disctinction 
between cookies sent with or without domain for the same site; even if this 
isn't the proper way to handle it, consistent behavior is always preferred over 

Comment 1

15 years ago
Note that IE seems to treat a host cookie (one without an explicit domain) and a
domain cookie (one with an explicit domain) as nearly -- nearly -- identical,
while Mozilla treats them as two unique cookies. (The only distinction I can
find in IE is that a host cookie seems to be read-only from a subdomain.) See
bug 222343 comment 7 for excruciating details.

Comment 2

15 years ago
eh? what's going on here?

host cookies and domain cookies are treated differently by mozilla, yes; but
that's an implementation detail. you don't need to care about that.

both your cookies should be sent back to the server. if they're not, that's a
bug. do you still see this problem?
resolving INVALID due to lack of clarification and response from the reporter. 
If this is still a problem in currently versions, please provide a real-world
example of where this is causing a problem.
Last Resolved: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.