Another cookie rejection pitfall - problems with null path and domain

There are another two pitfalls easy to stumble upon when it comes to cookies. These are path and domain related issues. Not setting path on your persistent cookies might be frustrating. Read for more details.

First of all we have to know that there are 2 types of cookies. There are persistent cookies and session cookies. Session cookies are destroyed when you close the browser. Persistent cookies have expiration time set. As long as the expiration time is in the future browser is obliged to send the cookie back to the server with all requests.

Now everything seems cool and easy, not for long. There are two more parameters thought, its path and domain. There are some strict rules:

1. you can not set domain for session cookie. Session cookies (without expiration) that have domain will be rejected by the browser!
2. domain can only be set if server is member of this domain. So that you can set cookie for if you are serving the page from You are not allowed to set cookie for random domain though, only your own.
3. if domain is not set it will be set to the current domain
4. if path is set, cookie will only be passed to resources within this path
5. if the path is not explicitly set it will be set to default, which is a current path

As you can see if you want to serve some cookie from PHP framework you have to be careful and probably you want to set path explicitly to / Otherwise someone coming to your site through home page will get the cookie and it will be passed along on further visits. But if user starts visit from subfolder like /articles/computers/sql.php (easy when coming from search engine), then cookie will only be passed to resources in this subfolder. As you can see coming first to /articles/computers/sql.php and then going to /articles/list.php browser will not send cookie along with request for /articles/list.php

You can also go to IE security report screen to see which cookies were rejected or accepted, you might get lucky and see what happened ;-)

Best way is to capture the network traffic though, try using a proxy like charles or network sniffers like wireshark (ethereal) etc.


Post new comment


About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS