When I visit a sub-domain website ex: https://sub2.example.com, from a browser console I can set a cookie for parent domain.
document.cookie = "nameCookie=HelloWorld; domain=.example.com;"
as per Cookie RFC this works! and this cookie should be available to all sub-domains.
ex:
https://example.com
https://sub2.example.com
https://xxx.example.com
But my problem, this concept is not working on some websites.
for ex:
Go to https://square.github.io/
open browser console
document.cookie = "nameCookie=HelloWorld; domain=.github.io;"
console.log(document.cookie)
check that nameCookie is not available.
Why it is not working here? any Http header/rule setup on those websites?
Because github.io is on the list of effective top-level domains (eTLDs) (raw list here), so each github.io subdomain is treated like a subdomain of a top-level domain (that is, _______.github.io is treated just like _______.com or _______.co.uk).
I need to set a cookie from my main domain, read then remove the cookie from a subdomain. But I also need to possibly set that cookie again on the domain in the future, and read it later on the subdomain. Basically, a stream of one-way communication. I cannot have the main domain handle unsetting the cookie, because it could be months between users hitting the main domain and the subdomain.
I set a cookie on my domain, like so:
document.cookie = "mycookie=testcookie;domain=example.com;max-age=31536000;";
I access it just fine on another subdomain, as such:
document.cookie.replace(/(?:(?:^|.*;\s*)testcookie\s*\=\s*([^;]*).*$)|^.*$/, "$1");
I then try to kill it from the subdomain:
document.cookie = "mycookie=;domain=example.com;max-age=0;";
That does not work. Cookie is still set.
However, setting it like this clears it:
document.cookie = "mycookie=;domain=example.com;max-age=31536000;";
It now returns "" when asking for it from the subdomain.
But... if I go back to the domain and set it again, and I can see it has been set, the subdomain still returns ""
Is there some sort of... hierarchy of cookies I'm missing? I'm unsure how this behaves or how to overcome this.
In order to enable this you have to place a period . before the root domain, like so: .example.com This is important because of the way the cookie standardization is setup. This format should be compatible with most modern browsers.
In addition, the path must be identical when accessing or modifying the cookie across different subdomains. The easiest way to do this is to just use the root path for the domain, /. For example, if you set the cookie from sub1.example.com/page1 and try to access it from sub2.example.com/page2, even though you set the domain as .example.com you also have to set the path=/ in order to access it and modify it from any path on other subdomains.
Ultimately:
document.cookie = "mycookie=testcookie;domain=.example.com;path=/;max-age=31536000";
will enable you to set it and
document.cookie = "mycookie=;domain=.example.com;path=/;max-age=0";
will let you delete it.
I have this weird issue I cannot figure out, so I was hoping someone smarter than me could help!
I have a site https://example.com (no subdomain)
I have some code that sets a cookie, e.g.
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
This code runs during page load in some script tag. When the page is first loaded, I see my cookie set, and in (chrome) dev tools > Application > Domain column, I see that it is set on .example.com with a leading dot, which is fine.
But then I refresh the page, and my code runs again (and there is a new value being pushed to the cookie; dunno if that matters). I look in the Application tab and I now see a "duplicate" entry for myCookie - one on .example.com and another on example.com (no leading dot). The values are the same. This is weird to me and I do not know why this is happening. Does anybody have any possible reasons for why this can happen?
Further down this rabbit hole.. I refresh the page again and the myCookie value on .example.com updates, but the one on example.com does not. More weirdness!
Meanwhile, I have other code that tries to read the cookie, but apparently the myCookie cookie on example.com takes precedence and I get that value, not the latest value (reflected in the .example.com cookie).
I have tried explicitly setting the cookie on .example.com (domain=.example.com) but the described behavior above still happens. Also, near as I can tell, there is no way for me in javascript to explicitly reference the cookie on .example.com - document.cookie just shows the example.com one (but the dev tools Applications tab does show it? So is this exposed in javascript?)
I can't provide a link to the site, but I can try to answer any questions someone might have to clarify.
But my main question is: can anybody explain possible reasons this might happen, or at least offer something that might point me in the right direction? Or failing that, alternatively some workaround to explicitly read from .example.com?
Edit
At this point, my best guess is something else on the site, likely server-side script, is duping the cookies over from .example.com to example.com but only if the values change. But this is pure speculation. I haven't been able to find any client-side proof of this (yet..) and I don't actually have access to server-side stuff. And this is probably grasping at straws anyways. But it's my best working theory ATM to take back to the site devs to ask them about..
Update - New stuff I have found / Clarifications
To be clear/restate: my site is on https://example.com with no submdomain.
This seems to only happen for my cookies where the value changes each page load. Cookies whose values do not change do not seem to get pushed from .example.com to example.com.
Even for the cookies with dynamic values, it only seems to dupe .example.com to example.com the first time. After that, the example.com cookie value does not change on subsequent page loads, even though the .example.com version gets a new dynamic value.
I have created a test script, separate from the cookies I currently observe this behavior, in an effort to divide and conquer. I thought to rule out any shenanigans with the code that sets/reads the cookies and blackbox this as much as possible.
But I am seeing the same behavior. I still suspect this is some kind of server wtfery going on, like the .example.com cookies are getting sent in the next http request and then the server is writing them back to example.com.. only on the first time? That's the double plot-twist. I don't have access to server-side stuff but I don't even know where to begin with what to holler at the site devs to look at.
Also note that so far between my colleagues and I, we tested the both the javascript lib/code that sets the problem cookies, as well as the blackbox script below on 6 other sites (not even owned/affiliated with this problem site at all) and have not been able to reproduce the issue, which further makes us suspect it is some kind of server config issue (but again, we don't really know where to start with that).
Anyways, in case it somehow helps anybody, below is the script I wrote to (further) test this issue. I am testing with a total of 8 cookies:
test_no_dot_static - I set domain=example.com with a static value
test_no_dot_dynamic - I set domain=example.comwith a dynamic value
test_dot_static - I set domain=.example.com with a static value
test_dot_dynamic - I set domain=.example.com with a dynamic value
test_implicit_no_domain_static - I set a cookie with static value with no domain= specified
test_implicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified
test_explicit_no_domain_static - I set a cookie with static value with domain= specified with no value
test_explicit_no_domain_dynamic - I set a cookie with dynamic value with no domain= specified with no value
#1, #3 - These initially get set on .example.com and do not get duped to example.com on page refresh
#2, #4 - These initially get set on .example.com. On first page refresh, the original value is duped to example.com cookie/domain. On 2nd+ page refresh, the example.com cookie values do not change (retain original value), and the .example.com versions get new values each page load.
#5, #7 - These initially get set on example.com (not .example.com) and are there is never a version on .example.com.
#6, #8 - These initially get set on example.com (not .example.com) and their values update each page load, and there is never a version on .example.com .
Test Code
var s_testCookies = {
getCookieValue: function(a) {
var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
return b ? unescape(b.pop()) : '';
},
getRandomValue: function() {
return '' + (new Date()).getTime() + '|' + Math.floor(Math.random() * 100000);
},
run: function(data) {
var data = data || {};
console.log('------------------------');
console.log('Arg: ', JSON.parse(JSON.stringify(data)));
data.previousValue = s_testCookies.getCookieValue(data.name);
console.log('Previous: ', JSON.parse(JSON.stringify(data)));
data.cookie = data.name + "=" + escape(data.value) + "; path=/;";
data.cookie+= (typeof data.domain!='undefined') && (" domain="+data.domain+";") || "";
document.cookie = data.cookie;
data.newValue = s_testCookies.getCookieValue(data.name);
console.log('New: ', JSON.parse(JSON.stringify(data)));
console.log('------------------------');
}
} // end testCookies
s_testCookies.run({
'message': 'no dot static value',
'domain': 'example.com',
'name': 'test_no_dot_static',
'value': 'no dot static value'
});
s_testCookies.run({
'message': 'no dot dynamic value',
'domain': 'example.com',
'name': 'test_no_dot_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'dot static value',
'domain': '.example.com',
'name': 'test_dot_static',
'value': 'dot static value'
});
s_testCookies.run({
'message': 'dot dynamic value',
'domain': '.example.com',
'name': 'test_dot_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'implicit no domain static value',
'name': 'test_implicit_no_domain_static',
'value': 'implicit no domain static value'
});
s_testCookies.run({
'message': 'implicit no domain dynamic value',
'name': 'test_implicit_no_domain_dynamic',
'value': s_testCookies.getRandomValue()
});
s_testCookies.run({
'message': 'explicit no domain static value',
'domain':'',
'name': 'test_explicit_no_domain_static',
'value': 'explicit no domain static value'
});
s_testCookies.run({
'message': 'explicit no domain dynamic value',
'domain':'',
'name': 'test_explicit_no_domain_dynamic',
'value': s_testCookies.getRandomValue()
});
Another Update based on comments / answers provided
To be clear, in practice, the issue is that we have some cookies that we set with values on a page load. Then when the page is refreshed (or another page is navigated to on the site), we read the value, do something with it, generate a new value and set the cookies again. Wash rinse repeat each page (re)load.
The issue is on initial page view, those cookies are set on .example.com domain. Then on next page load, the initial cookie/value gets duped to exampe.com, and also the cookie on .example.com gets an updated value. Then on another page load, the previous .example.com value does not get duped/pushed to example.com version of the cookie; only the .example.com version updates. So it only gets duped/pushed to example.com on the 2nd page load. Not 3rd+.
Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com
Meanwhile, we cannot simply not specify a domain= value (#6 or #8 above), because there are in fact subdomains in play e.g. mobile.example.com that also have the code that reads/updates/writes those cookies, and if we do not specify a domain, then the cookie is only available on exactly example.com and cannot be read on mobile.example.com.
Udpate
#ffeast asked the following questions:
What does curl -I yourdomain return? Are there any Set-Cookie headers?
Here you go!
user#host:~$ curl -I https://example.com
HTTP/1.1 200 OK
X-Powered-By: Express
set-cookie: site#lang=en; Path=/;Secure
set-cookie: connect.sid=s%3As46fwOPaosGdwis0G_Wdv7gzUs75Q0rr.O1gLsLmrHmmdBXxPWJrIq8UWwOOaQf96qxUlW%2FxnEuM; Path=/; HttpOnly;Secure
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html; charset=utf-8
Content-Length: 19632
ETag: W/"4cb0-bgHMEy79PzLMv7jhB1Lh6A"
Vary: Accept-Encoding
Date: Fri, 16 Mar 2018 20:42:19 GMT
Connection: keep-alive
Set-Cookie: SecureCookie=!zPdIdxiz3mOMe2MYzy1p873u0yWtMdduASsHoU06gkaLs306mhR7cb3ir4TA2EG2cQGKmeVWJeYvxA/flQfPQUixqL8WMOfROsTgu3UZZg==; path=/; Httponly; Secure
I also see the same Response Headers from browser tab.
So there are some set-cookie headers in the initial http response, yes. They are not cookies I personally have anything to do with or know about for my scope of things, but I can ask what they are for, if that somehow helps. Example:
I notice that a domain= value is not explicitly set for them.. is it possible this somehow sets a precedent for the browser, or am I barking up the wrong tree? Even if it did though, I don't think that explains the dupe to example.com only to my cookies that change their values, nor it only happening on 2nd page load (not 3rd+)? Not sure where you're going with this, but I'm all ears!
If your goal is to use a cookie sharing between all sub-domains, allowing everyone to access and set the cookie, then you need to specify the root domain whenever you set the cookie.
Suppose you have sub.example.com, sub2.example.com and example.com, and you want to share the cookie between them then set the domain to example.com. When you don't specify a domain the cookie is only property of example.com or sub.example.com, but when you specify domain to be example.com, then it becomes accessible to example.com and all it's subdomains to read and write to.
domain=domain (e.g., 'example.com' or 'subdomain.example.com').
If not specified, defaults to the host portion of the current document
location (but not including subdomains). Contrary to earlier
specifications, leading dots in domain names are ignored, but browsers
may decline to set the cookie containing such dot . If a domain is
specified, subdomains are always included.
[source: developer.mozilla.org]
In example.com:
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
In sub.example.com: (same as above)
var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";
In both cases you have to set it to example.com. Otherwise the following situations may arise
In example.com if you forget to set example.com at a single place, a new cookie will be created only for example.com that will be different from the shared one and will not sync with it creating lots of confusion.
In sub.example.com if you forget to set example.com at a single place, a new cookie will be created only for sub.example.com that will be different from the shared one and will not sync with it creating lots of confusion.
You should not set cookie to .example.com as it is not appreciated according to the above quote.
Possible causes of cookie duplication:
When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com, when the second request is made browser sends the cookie to the server, some code on server-side receiving the new cookie sets it back on example.com. This can only be verified inspecting the response headers of the second request.
When first time the page is loaded JavaScript sets the cookie with specifying domain=example.com that sets the cookie for .example.com. When the page loads for the seconds time any JavaScript code is by mistake setting it without specifying domain=example.com that sets the cookie for example.com. This can only be verified inspecting the JavaScript codes involved in setting cookies.
I believe accidental creation of domain/sub-domain specific cookies are the cause of all the anomalies you described. Reviewing every section of code where cookies are being set may solve the issue.
UPDATE: What is really happening here.
You are using InvocaJS v3.6.6 and AngularJS v1.2.19, both of them having cookie management features. InvocaJS stores data in cookie as invoca_session and specifies domain example.com, so the cookie is set for .example.com. There is no problem when AngularJS sees the cookie for the first time, it remembers it. AngularJS keeps a copy of all the cookies and when you update any cookie by AngularJS, you actually modify the copy. Afterward AngularJS loops through all the cookies, compares it with copy to determine and update which cookies have been updated by AngularJS.
InvocaJS the repeatedly changes the value of invoca_session. When AngularJS loops though all the cookies and invoca_session does not match with the value AngularJS has, it thinks the value has been changed by AngularJS (as described above) and it updates the value of invoca_session replacing the new value with old one. (I tested it, this is exactly how AngularJS v1.2.19 worked)
The problem is Angular v1.2.19 does not specify any domain while setting cookies (predicted earlier as bug probability #2). So a new cookie is created with domain set to example.com. Afterwards when InvocaJS tries to read the cookie it reads the old cookie set for example.com.
AngularJS altering cookie
According to w3schools.com documention, you may use a function to built, get and check your cookie.
You may take a look on How do browser cookie domains work, also here and here to better understand how browser and javascript handle cookie setup.
As you said in your question that error is visible also Firefox, it may be useful to note that:
Contrary to earlier specifications, leading dots in domain names are ignored, but browsers may decline to set the cookie containing such dot . If a domain is specified, subdomains are always included.
As you said :
Meanwhile, the example.com cookie takes precedence and is the one document.cookie returns when we parse for the cookie value. So on 3rd+ page load, we just keep getting the value from page #2 returned from that example.com cookie, instead of the updated value in .example.com
You may double check if some data are loaded from a sub-domain xxx.example.com on the first load and future page load.
Verify that if some data are cached during future reload.
You may finally double check the presence of the following headers in requests:
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0
which avoid caching issue.
I tried it with jQuery:
$.cookie('test', 'value', { expires: 7, path: '/', domain: 'test.com' });
but it won't work.
it's possible to do?
Nope, that will not work for security reasons.
It is not possible to do due to security reasons.
if you are in control of the 2nd domain there are some options to share your cookies described already here:
What's your favorite cross domain cookie sharing approach?
Due to many people abusing it, most browsers block 3rd party either by default or by the user setting such a preference.
From Cookies:
Each cookie also has a domain and a
path. The domain tells the browser to
which domain the cookie should be
sent. If you don't specify it, it
becomes the domain of the page that
sets the cookie, in the case of this
page www.quirksmode.org. Please note
that the purpose of the domain is to
allow cookies to cross sub-domains. My
cookie will not be read by
search.quirksmode.org because its
domain is www.quirksmode.org . When I
set the domain to quirksmode.org, the
search sub-domain may also read the
cookie.
I cannot set the cookie domain to a domain I'm not in, I cannot make the
domain www.microsoft.com . Only
quirksmode.org is allowed, in this
case.
(Note: See also the related question Can browsers react to Set-Cookie specified in headers in an XSS jquery.getJSON() request?)
I can't seem to set a cookie (whose name is mwLastWriteTime) in the request header of a JSON operation. The request itself is a simple one from the Freebase MQL tutorials, and it is working fine otherwise:
// Invoke mqlread and call the function below when it is done.
// Adding callback=? to the URL makes jQuery do JSONP instead of XHR.
jQuery.getJSON("http://api.sandbox-freebase.com/api/service/mqlread?callback=?",
{query: JSON.stringify(envelope)}, // URL parameters
displayResults); // Callback function
I'd hoped that I could set this cookie with something along the lines of:
$.cookie('mwLastWriteTime', value, {domain: ".sandbox-freebase.com"});
Unfortunately, looking in FireBug at the outgoing request header I see only:
Host api.sandbox-freebase.com
User-Agent [...]
Accept */*
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
Connection keep-alive
Referer [...]
But if I don't specify the domain (or if I explicitly specify the domain of the requesting site) I can get mwLastWriteTime to show up in the headers for local requests. Since the .sandbox-freebase.com domain owns these cookies, shouldn't they be traveling along with the GET? Or does one need a workaround of some sort?
My code is all JavaScript, and I would like to set this cookie and then call the getJSON immediately afterward.
You cannot set a cross-domain cookie, because that would open the browser (and therefore the user) to XSS attacks.
To quote from the QuirksMode.org article that I reference above:
Please note that the purpose of the
domain is to allow cookies to cross
sub-domains. My cookie will not be
read by search.quirksmode.org because
its domain is www.quirksmode.org .
When I set the domain to
quirksmode.org, the search sub-domain
may also read the cookie. I cannot set
the cookie domain to a domain I'm not
in, I cannot make the domain
www.microsoft.com . Only
quirksmode.org is allowed, in this
case.
If you want to make cross-site request with cookie values you will need to set up a special proxy on a server you control that will let you pass in values to be sent as cookie values (probably via POST parameters). You'll also want to make sure that you properly secure it, lest your proxy become the means by which someone else's private information is "liberated".
Are you running all of your tests through localhost? Are you using IE? If so it will be enforcing its own special brand of security requirements and likely dumping your cookies. Open fiddler and use http://ipv4.fiddler to bypass that.
If that type of trickery is not going on (as it appears you are using FireFox) , it may also be the case that you do need to explicitely set the cookie's domain to be the same as the domain of your JSON request. A browser won't send cookies set for domain A to a request to domain B. I am not 100% sure this is the case though.