Are sub-domain cookies sent in a parent domain HTTP request?
For instance, say I have the cookies:
Name Value Domain (not https)
ABC 1 .example.com
XYZ 0 foo.example.com
DEF 0 bar.example.com
Would [email protected] and [email protected] be sent along in the HTTP-header cookies on a reqeust to http://example.com/content, and/or http://QQQ.example.com/content
No. It's the other way around: parent-domain cookies are sent in sub-domain HTTP requests.
The leading dot in the domain value .example.com means example.com and its subdomains. Without the leading dot, the cookie is only valid for this specific domain.
Note that when setting a cookie, domain values without a leading dot will be prepended with a dot. Only when the domain parameter is not set the user agent assumes the current domain for that cookie.
So in this case, if http://example.com/ is requested, only the cookie for .example.com will be sent. But in case of http://foo.example.com/, both cookies for .example.com and foo.example.com will be sent. And in case of http://bla.foo.example.com, only the cookie for .example.com will be sent.