Questions about this topic? Sign up to ask in the talk tab.

Cookies/Flags/Domain

From NetSec
Revision as of 06:40, 19 July 2012 by Chantal21I (Talk | contribs) (Created page with "Domain serves the opposite purpose of Path, that is, it expands a cookie's scope beyond the FQDN that set it, to a broader domain. Say you have a cookie that has been set by htt...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Domain serves the opposite purpose of Path, that is, it expands a cookie's scope beyond the FQDN that set it, to a broader domain.

Say you have a cookie that has been set by http://savitri.staff.blackhatacademy.org. By default, http://hatter.staff.blackhatacademy.org can't access it. But if the first wants to share it with the second, then by setting Domain=.staff.blackhatacademy.org, this cookie is also obtained by http://hatter.staff.blackhatacademy.org

Note that if you specify another, same-level domain (that is, http://savitri.staff.blackhatacademy.org sets a cookie with Domain=errprone.staff.blackhatacademy.org), the result is not guaranteed, as your browser might reject this cookie.

Savitri says
this is to be checked and tested extensively, as it might be an interesting vector