Cookies, Ports and Subdomains
This post will look at how browser cookies work when used on different subdomains and on different ports.
I would suggest clicking on the images below to enlarge them, as the browser text can be quite small in places.
Also, for all the below examples, my-testing.com resolves to 127.0.0.1 via a host file entry, and has nothing todo with the real domain.
Short Answer & Summary
Below is two tables summarising the results from the post for those that want a TLDR or quick refresher. If these tables don’t make sense, then please continue reading.
If the cookie DOES NOT have the Domain attribute set:
| Action | Example | Cookie is Sent |
|---|---|---|
| Parent Domain | my-testing.com:8443 | ✅ |
| Parent Domain & Different Port | my-testing.com:9999 | ✅ |
| Subdomain | subdomain1.my-testing.com:8443 | ❌ |
| Subdomain & Different Port | subdomain1.my-testing.com:9999 | ❌ |
If the cookie DOES have the Domain attribute set:
| Action | Example | Cookie is Sent |
|---|---|---|
| Parent Domain | my-testing.com:8443 | ✅ |
| Parent Domain & Different Port | my-testing.com:9999 | ✅ |
| Subdomain | subdomain1.my-testing.com:8443 | ✅ |
| Subdomain & Different Port | subdomain1.my-testing.com:9999 | ✅ |
The conclusion is that if your web application is hosted on a domain that has no other web applications on any subdomains, then it would be best to not included the Domain attribute.
If different applications are hosted on subdomains, then consideration should be given as to whether the parent domain should be able to share cookies with them or not.
Cookie without Domain Attribute
We’ll start off by setting a cookie called sessionid when we visit https://my-testing.com:8443/home.
Here is what the Set-Cookie header looks like on the response:
1
Set-Cookie: sessionid=AMoxoICZ9sWXTi98j6iGn2Wefet3T52qEhB6XCUJssHzl19P; Max-Age=3600; Path=/; Expires=Fri, 28 Jan 2022 11:38:40 GMT; HttpOnly; Secure; SameSite=Strict
- Notice that there is no
Domainattribute in the above header. This is IMPORTANT.
Same Domain Different Port
Let’s see what happens if we visit a link on the same domain, but a different port. This represents another web server running on a different port. We’ll try and load https://my-testing.com:9999/ and see what happens.
The webserver has returned a 404 response. But, if we look more closely, we can see that our sessionid cookie was still sent in the request.
Checking the server logs we can see that the cookie was received as well.
Okay so we know that ports don’t matter if we are loading the page directly. But what about subdomains?
Subdomain with Same Port
We’ll now try and load the page https://subdomain1.my-testing.com:8443/.
From the request headers we can see that our sessionid cookie was NOT sent with the request this time.
Checking the server logs we can see that the cookie was NOT received either.
Okay cool, so cookies set on the parent domain are not valid for subdomains right? Well, if the Domain attribute isn’t set on a cookie, then yes this is correct. But, this changes if we DO use the Domain attribute.
Cookie with Domain Attribute
Let’s perform the experiment again now with the Domain attribute set.
Here is what the Set-Cookie header looks like on the response:
1
Set-Cookie: sessionid=gzwFezc9KQ1LHlfVObcb583v1Iyt4XKM0riVM3oUoW8THdpi; Max-Age=3600; Domain=my-testing.com; Path=/; Expires=Fri, 28 Jan 2022 11:45:06 GMT; HttpOnly; Secure; SameSite=Strict
- Notice the
Domain=my-testing.compiece in the above header. This is IMPORTANT.
Subdomain with Same Port Again
Now if we try and load page https://subdomain1.my-testing.com:8443/, we get a different result.
We can see that cookie was sent in the request this time.
Checking the server logs also shows the cookie was received by the web server.
Subdomain with Different Port
As a final test we’ll see if the cookie with the Domain attribute is sent when we use a subdomain and different port.
I.e. https://subdomain1.my-testing.com:9999/
The cookie was again included in the request, showing that the port has no effect on whether the cookie is sent.
For a summary of these findings, please refer to the table in the Short Answer & Summary section at the top of this page.