Subdomain cookie sharing in nginx

Tag: security , cookies , nginx , subdomains , gunicorn Author: zhlp_0718 Date: 2012-07-16

I have server, running some number of sites. For example: example.com a.example.com b.example.com All sites are routed via nginx to unix domain-sockets. Each of sites is gunicorn instance.

Can applications from subdomains read/write cookie data from example.com or from other subdomains? If yes, how to disable it?

Best Answer

Sure, you can use separate cookies for the subdomain. The Cookie standards allow you to set a domain, which will be the only domain that browsers will send the cookie back to. You can set "a.example.com" as the domain, and browsers will only send cookies from that domain back to that domain.

From my reading of RFC 2965 for cookies, "a.example.com" cannot set a cookie for "b.example.com", only "example.com".

I think the bottom line is to be sure that you are are using the "domain" property of cookies to set cookies for the subdomain, and not just "example.com", which all subdomains could read and write to.

comments:

I'm sorry, question was about cookie data. Edited.