3 Things About Cookies You May Not Know

If you’re ever stuck wondering why Live HTTP Headers and Firebug are telling you your “Cookie:” request headers don’t match the “Set-Cookie:” response headers you’ve just been sent, here’s a couple of points and gotchas worth remembering:

1. A cookie can only be overwritten (or deleted) by a subsequent cookie exactly matching the name, path and domain of the original cookie. Even though a cookie with domain “.example.org” set by www.example.org is perfectly valid, it will not overwrite a previous cookie of the same name which was set against “www.example.org”. Instead, both cookies will be stored, and on subsequent requests only one will be sent.
2. If multiple cookies of the same name match a given request URI, one is chosen by the browser.
   The more specific the path, the higher the precedence. However precedence based on other attributes, including the domain, is unspecified, and may vary between browsers. This means that if you have set cookies of the same name against “.example.org” and “www.example.org”, you can’t be sure which one will be sent back.
3. The HTTP state object is called a cookie for no compelling reason according to the preliminary specification from Netscape.

Related posts:

1. Cookie-less Session Variables in JavaScript Cookies may be delicious, but they can be clumsy if...
2. On $_GET and $_POST Troels Knak-Nielsen offers some thoughts about the naming of $_GET...
3. Why Opera 10’s User Agent Smells Bad The user agent in the soon-to-be-released Opera 10 will report...
4. The New W3C Website Goes Live … With Invalid CSS! The new and overdue W3C website redesign has been completed....

This entry was posted on Monday, September 24th, 2007 at 1:01 pm, contains 256 words, 6 images, and is filed under Web Tech. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed. The views and opinions in this blog post are those of its author.