• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 276
  • Last Modified:

Cookie RFC not followed?

Hi all,

I am using Cookies in JSP/Servlets and the following doubt came to my mind.

In the Cookie RFC 2109 in section 4.3.2 it says,

A Set-Kookie from request-host y.x.foo.com for Domain=.foo.com
would be rejected, because H is y.x and contains a dot.

But when I test it myself on my server it doesn't follow this constraint. I have x.y.myserver.com domain and servlet written there. I set kookie with domain = .myserver.com and it works. It allows setting me that kookie.

Anybody knows why this happens? Doesn't browsers follow the RFC? OR was there some addendum or part that I missed for that RFC which describes this anomaly.

1 Solution
I'm pretty sure that it works when you go back to the same host (in other words, because the cookie was a response from x.y.myserver.com, it gets included in future requests to x.y.myserver.com). In other words, I think section 4.3.4 often overrides section 4.3.2 (at least as implemented in most browsers).

Bu I'm pretty sure that the cookie will not be included to other hosts like z.y.myserver.com.

BTW, you didn't say which browser version you were working with. Cookies would only be rejected (actually ignored) by the browser client. When a server sends a response, there is no way for the client to tell the server that the cookie has been rejected. Rejecting a cookie only means that the browser ignores it. For a cookie with $Domain=.myserver.com, I suppose it might be implemented as 'Don't send to other URIs even if the host part ends in .myserver.com, because 4.3.2 was violated. However, do send back to x.y.myserver.com, because that was the host which set the cookie.'

And also, I don't think any browser is compliant with all the RFC (and other) specs.

And finally, are you using Version="1"? I think if you don't use that cookie header, a client may interpret the cookie to be version 0, a looser standard produced by Netscape.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now