I have two HTTP services running on one machine. I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets.
+1
A:
It's optional.
The port may be specified so cookies can be port specific. It's not necessary, the web server / application must care of this.
Source: German Wikipedia article, RFC2109, Chapter 4.3.1
furtelwart
2009-10-23 08:57:28
A:
If you have different ports associated to different servers and you go to them using: http://servername%3Aport/ then cookies are different and recognized as different for each server.
Lex
2009-10-23 08:57:47
I'm sorry, but your answer is not correct. It depends how the Set-Cookie header was defined. It's allowed to set it with and without a port. See my answer.
furtelwart
2009-10-23 09:11:24
+1
A:
This is a big gray area in cookie SOP (Same Origin Policy).
Theoretically, you can specify port number in the domain and the cookie will not be shared. In practice, this doesn't work with several browsers and you will run into other issues. So this is only feasible if your sites are not for general public and you can control what browsers to use.
The better approach is to get 2 domain names for the same IP and not relying on port numbers for cookies.
ZZ Coder
2009-10-23 14:15:46