Domain set cookie for subdomain

Tag: http , cookies , setcookie Author: xiawenyu110 Date: 2011-02-22

I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:

A user creates a login on and should get a cookie but only for the subdomain I generate following HTTP header part:

Set-Cookie: name=TestUser;; Path=/; secure; HttpOnly 

But when I make a request to, the cookie will be not added to the request. I wonder if it is possible that sets a cookie for I know that it is possible that set a cookie for also for all subdomains for but that's not what I want.

How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.

Best Answer

No. Besides that is an invalid Domain value (it must start with a ., i.e. (see update below) the cookie would get rejected:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

  • The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

The request-host is and the Domain attribute value is But the request-host does not has the form HD where D would be Thus the cookie gets rejected.

Update    The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:

[…] if the value of the Domain attribute is "", the user agent will include the cookie in the Cookie header when making HTTP requests to,, and (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

[…] the user agent will accept a cookie with a Domain attribute of "" or of "" from, but the user agent will not accept a cookie with a Domain attribute of "" or of "".