Quirky cookie behaviour

Question

A colleague of mine asked me to take a look at some cookie behaviour. He created simple web app that created a cookie and inserted the value of a text field, he then checked the cookie collection on the next page to see it had been inserted and read back correctly.

All simple really.

On the second page however he noted the was more than one cookie, with the others related to another web app he'd been debugging locally.

I told him this happened because the browser recognised the URL and hence sent all the cookies that it recognised as coming from there, is this correct? Would it do it even if the local debug servers port changed?

Answer 1

Cookies have basically two parameters that instruct the browser when to send them back to the server:

• path
• domain

If no path is given, it defaults to the document location, e.g. a cookie set from http://example.com/foo/bar.html will be sent back to all URLs that begin with /foo.

If domain begins with a dot, it also covers all subdomains. E.g., a cookie set for .example.com will also be sent back to static.example.com.

Port number is not considered.

The issue with debug cookies will not affect your visitors, only developers, so it's easier to just remove the cookies with the appropriate browser option.