What kind of text is stored with setcookie()?

Question

When you setcookie('id','111'...) does the browser store that cookie with additional information, like where it got from? How would that look like? I assume a website cannot access cookies set by facebook or twitter on somebody's computer.

Answer 1

You can find out the cookies a domain is storing using a simple method, just paste the following code into your address bar while on the site you are inquiring about. But it's true that a whole lot of other meta data is stored with the raw cookie values, the browser obviously has to be careful that only a single domain can access its own cookies and needs to keep track of when they need to expire etc.

javascript:document.write(document.cookie);

And you are correct, the browsers try very hard to make sure cookies are only accessible to the domains that set them. There have been many crafty exploits using JavaScript and iframes in the past and XSS vulnerabilities are a huge problem still today.

Answer 2

Generally, this information is saved:

• Name
• Content
• Domain (default is the domain you are setting it from)
• Path (default is the path you are setting it from)
• Send for (ie. encrypted connections only)
• Expiration date

Cookies are generally identified by a combination of name, domain and path. This means that a website can only access cookies that have been set on the same domain and path (which is good, as this prevents the sites you mentioned from reading cookies that have been set on other websites you have visited).

More information regarding the actual specification of how cookies RFC2965.

Answer 3

Cookies can be accessed only by the setting domain (or a sub-domain of that domain).

The browser stores:

• cookie name
• value
• date/time set
• date/time of expiry
• domain

A website could access, say, facebook cookies by using a javascript hosted on the facebook domain.

Answer 4

by same origin policy,a cookie can be accessed only by the site that has set it