3 Things About Cookies You May Not Know

Tweet

If you’re ever stuck wondering why Live HTTP Headers and Firebug are telling you your “Cookie:” request headers don’t match the “Set-Cookie:” response headers you’ve just been sent, here’s a couple of points and gotchas worth remembering:

  1. A cookie can only be overwritten (or deleted) by a subsequent cookie exactly matching the name, path and domain of the original cookie. Even though a cookie with domain “.example.org” set by www.example.org is perfectly valid, it will not overwrite a previous cookie of the same name which was set against “www.example.org”. Instead, both cookies will be stored, and on subsequent requests only one will be sent.
  2. If multiple cookies of the same name match a given request URI, one is chosen by the browser.
    The more specific the path, the higher the precedence. However precedence based on other attributes, including the domain, is unspecified, and may vary between browsers. This means that if you have set cookies of the same name against “.example.org” and “www.example.org”, you can’t be sure which one will be sent back.
  3. The HTTP state object is called a cookie for no compelling reason according to the preliminary specification from Netscape.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Interlock

    Also, Cookies are good with milk. Oh wait, wrong cookie.

  • CookieMonster

    And they are good with a nice cup of tea.

  • BiscuitMonster

    I’ve heard they make excellent coasters.

  • Jonathan Landis

    The current standard for cookies is RFC 2965, and 2109 is obsolete. In the current standard, multiple cookies with the same name and different path/domain components are allowed, and they are sent by the browser in order from most-specific to least-specific. The current versions of both Firefox and IE behave according to the new standard.

    • Tgr

      “In the current standard, multiple cookies with the same name and different path/domain components are allowed, and they are sent by the browser in order from most-specific to least-specific.”

      This is incorrect. RFC 2965 says:

      ” If multiple cookies satisfy the criteria above, they are ordered in
      the Cookie header such that those with more specific Path attributes
      precede those with less specific. Ordering with respect to other
      attributes (e.g., Domain) is unspecified.”

      so ordering is unspecified, just as the article claims.