How does a browser handle cookie with no path and

2020-08-18 06:12发布

问题:

I have googled this a lot now and have found conflicting answers. So my question is: how does a browser handle an HTTP cookie that has no domain and no path attributes?

For example this response from server:

200 OK https://example.com/a/b (6047ms) 
Set-Cookie: x-my-cookie=1.0; Max-Age=86400000; Expires=Sun, 05-Jan-2020    08:30:25 GMT

Should the cookie be included when making requests to https://m.example.com/a/b?

What about https://example.com/zzzz?

And https://example.com/a?

And https://example.com/a/b/c?

And https://example.com?

回答1:

For Set-Cookie without domain attribute, the cookie's domain value is "the origin server". According to RFC6265:

Unless the cookie's attributes indicate otherwise, the cookie is returned only to the origin server (and not, for example, to any subdomains)...If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

With the following exception:

WARNING: Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well.

Maybe that's why you found conflicting answers.


For Set-Cookie without path attribute, RFC6265 states that:

If the server omits the Path attribute, the user agent will use the "directory" of the request-uri's path component as the default value.


For your example, the answer would be:

Should the cookie be included when making requests to https://m.example.com/a/b?

No. Because m.example.com is not the origin server (example.com).

What about https://example.com/zzzz?

No. Because /zzz is not under "directory" /a/b.

And https://example.com/a?

No. Because /a is not under "directory" /a/b.

And https://example.com/a/b/c?

Yes. Because /a/b/c IS under "directory" /a/b.

And https://example.com?

No. Because / is not under "directory" /a/b.



标签: http url cookies