Cookie path and its accessibility to subfolder pages

Asked 23/2, 2009 at 4:34 Answered 10/7, 2023 at 18:32

Solved url cookies httpcookie global-path url-path

103

Let's say I have a website with domain: www.example.com

If I set a cookie with path '***/***' the cookie will be accessible via all pages in the domain, eg:

www.example.com/page1.html
www.example.com/subfolder1/page1.html
www.example.com/subfolder1/moresubfolder1/page1.html, etc.

What if we set the cookie to path '/subfolder1', will the cookie will be made available to any page or subfolder beneath the folder? Eg:

www.example.com/subfolder1/moresubfolder/page1.html

So, if not, I guess, I have no choice but to use path '/' for those cookies, right?

Shaniqua answered 23/2, 2009 at 4:34 Comment(0)

If we set the cookie to path '/subfolder1', will the cookie will be made available to any page or subfolder beneath the folder?

Yes. The cookie will be available to all pages and subdirectories within the /subfolder1 path.

Mcmanus answered 23/2, 2009 at 4:44 Comment(6)

See https://mcmap.net/q/211956/-set-cookie-wildcard-quot-path-quot for the relevant specification. For those who didn't know, cookies are only accessible to the specified path and any subpaths, no superpaths. So cookies for the path "/folder/subfolder1/" are not accessible to "/folder/". I banged my head on this one for a bit. – Ermelindaermengarde 14/12, 2011 at 7:13

@SampleJACK ouch, that explains MY problem quite nicely! – Kirin 1/3, 2013 at 21:23

@Alex, so how do we get a cookie that is for /subfolder1 but not /subfolder1/inner-folder? – Exterminate 5/3, 2013 at 19:24

@Exterminate the answer we are commenting on is correct, were you asking something else? – Ermelindaermengarde 6/6, 2013 at 5:6

@SampleJACK how do we get a cookie that is for /subfolder1 but not /subfolder1/inner-folder? – Exterminate 6/6, 2013 at 8:17

As I understand it, that's not possible. Cookies apply to all lower paths (unless you set a different cookie for the lower down path, ie in our case on /subfolder1/inner-folder) – Gers 7/6, 2017 at 10:33

To remove some ambiguity by reusing a portion of this answer:

A request-path path-matches a given cookie-path if at least one of the following conditions holds:

The cookie-path and the request-path are identical.

The cookie-path is a prefix of the request-path, and the last character of the cookie-path is %x2F ("/").

The cookie-path is a prefix of the request-path, and the first character of the request-path that is not included in the cookie-
path is a %x2F ("/") character.

There is a slight (but potentially important) difference between setting a cookie on the /subfolder1 path and the /subfolder1/ path.

If you rely on the former your request path needs to start with a "%x2F ("/") character" (a forward slash) to guarantee the desired behaviour. For an example, take a look at the linked answer.

Setting the cookie path to simply / avoids any edge cases, but as you say - the cookie would be accessible the entire domain.

Centrosphere answered 13/5, 2016 at 13:9 Comment(3)

most informing answer – Pemba 2/10, 2017 at 21:41

what is the difference between /subfolder1 and /subfolder1/? From the linked answer, the only difference is : the request path /subfolder1KKK also match cookie path /subfolder1, right? And different browser may has different behavior, e.g. IE match request path /subfolder1KKK to cookie path /subfolder1, but firefox will not, right? – Hoofer 22/4, 2019 at 2:12

No difference between /subfolder1 and /subfolder1/ according to the quoted RFC. The only way it makes a difference is if a browser doesn't implement this rule (i.e. IE). Only cookie-path /subfolder1/ can match point 2; request-path /subfolder1ABC will not match cookie-path /subfolder1, since the first non-matching character is A, not /, so it does not satisfy point 3. – Castaway 2/12, 2022 at 22:3

if we set the cookie to path /subfolder1, the following pages in the example are accessible:

www.example.com/subfolder1/page1.html
www.example.com/subfolder1/moresubfolder1/page1.html
etc.

However, the page www.example.com/page1.html will not be accessible as it does not belong to the allowed path.

Nullification answered 14/7, 2014 at 10:16 Comment(0)

For example, there are 7 urls below which can access the cookie with the global path /:

https://example.com/
https://example.com/a/
https://example.com/a/a-1/
https://example.com/a/a-2/
https://example.com/b/
https://example.com/b/b-1/
https://example.com/b/b-2/

Then, the cookie with the path /b can be accessed by 3 urls below:

https://example.com/b/
https://example.com/b/b-1/
https://example.com/b/b-2/

Pompadour answered 10/7, 2023 at 18:32 Comment(0)

Recommended topics

Hot tags