3 Things About Cookies You May Not Know

By | September 24, 2007 | Web Tech

5
  • Print
  • Print

If you’re ever stuck wondering why Live HTTP Headers and Firebug are telling you your “Cookie:” request headers don’t match the “Set-Cookie:” response headers you’ve just been sent, here’s a couple of points and gotchas worth remembering:

  1. A cookie can only be overwritten (or deleted) by a subsequent cookie exactly matching the name, path and domain of the original cookie. Even though a cookie with domain “.example.org” set by www.example.org is perfectly valid, it will not overwrite a previous cookie of the same name which was set against “www.example.org”. Instead, both cookies will be stored, and on subsequent requests only one will be sent.
  2. If multiple cookies of the same name match a given request URI, one is chosen by the browser.
    The more specific the path, the higher the precedence. However precedence based on other attributes, including the domain, is unspecified, and may vary between browsers. This means that if you have set cookies of the same name against “.example.org” and “www.example.org”, you can’t be sure which one will be sent back.
  3. The HTTP state object is called a cookie for no compelling reason according to the preliminary specification from Netscape.

Written By:

Paul Annesley

Paul is a Rails and PHP developer in the SitePoint group of companies.

 

{ 5 comments }

Jonathan Landis December 15, 2007 at 7:44 pm

The current standard for cookies is RFC 2965, and 2109 is obsolete. In the current standard, multiple cookies with the same name and different path/domain components are allowed, and they are sent by the browser in order from most-specific to least-specific. The current versions of both Firefox and IE behave according to the new standard.

Tgr November 3, 2011 at 8:27 am

“In the current standard, multiple cookies with the same name and different path/domain components are allowed, and they are sent by the browser in order from most-specific to least-specific.”

This is incorrect. RFC 2965 says:

” If multiple cookies satisfy the criteria above, they are ordered in
the Cookie header such that those with more specific Path attributes
precede those with less specific. Ordering with respect to other
attributes (e.g., Domain) is unspecified.”

so ordering is unspecified, just as the article claims.

BiscuitMonster September 29, 2007 at 7:43 pm

I’ve heard they make excellent coasters.

CookieMonster September 27, 2007 at 10:09 pm

And they are good with a nice cup of tea.

Interlock September 26, 2007 at 6:48 am

Also, Cookies are good with milk. Oh wait, wrong cookie.

Comments on this entry are closed.