Cookies

[Andy]

Hey guys, quick question about cookies.

suppose I ran a site on the domain randomsite.com, and a couple of my pages use cookies

my friend also runs a site under my subdomain: sd.randomsite.com

is there a way to prevent having the users cookies from my site sent to him?

i know one way is to run my site under www.randomsite.com, and then have the cookies domain set to that, but is there a way around that?

thanks!

[Brightguy]

If the Host is .randomsite.com, Firefox will send the cookie to any site on that domain. Remove the leading period for the behaviour you want. I haven't tried other browsers...

[Andy]

what if i occupied several subdomains on my domain? ie

sd1.randomsite.com, sd2.randomsite.com, sd3.randomsite.com, randomsite.com, www.randomsite.com

and my friend only occupied the sd1.randomsite.com subdomain

is there a way for me to keep my cookies working for all of my sites, but not his?

thanks

[md]

nope.

You shouldn't be using cookies for anything requiring cookies anyways. Assume that any cookies you set can be read by everyone and build your security around that.

[octopi]

Andy, when you set your cookies, make a function that sets the same cookie for all your domains.
So you'll be setting 5 different cookies for example, one each for each sub-domain you want.

[jeffgreco13]

Are you trying to store secure information via this cookie?

Give us an idea of what information is to be held in the cookie. There is not way to restrict access to cookies from sub-domains, but Octopi might have a point and just have the browser load a specific cookie for each sub-domain.

[octopi]

You might also be able to unset the cookies for his specific domain, but I'm not sure if that would work or not.

Basically you could try setting the cookies for all domains, then set another cookie for his specific domain but set a blank value.

Also if your worried about him reading and using any data in them, you could encrypt the cookies with some sort of encryption like AES (or one of many, many different types)

[Andy]

octopi @ Wed Jul 30, 2008 12:34 pm wrote:

You might also be able to unset the cookies for his specific domain, but I'm not sure if that would work or not.

Basically you could try setting the cookies for all domains, then set another cookie for his specific domain but set a blank value.

then when the user visits his subdomain, cookies from my domain will not be appended to the get request?

Here's another question, are cookies appended to all get requests? even requests for images?

If i had a website www.abcdefg.com and had a cookie for the domain, would a get request for the image www.abcdefg.com/pic1.jpg also contain the cookie?

thanks

[Tony]

Andy @ Thu Jul 31, 2008 8:39 am wrote:

Here's another question, are cookies appended to all get requests? even requests for images?

Yes. Remember that an image is just a response to a request. A *.php page could return an image, for example.

So one of service optimizations is to host static images on their own subdomain (or sometimes full out domain), so that all requests are cookie~less. Most of high-volume websites do this.

[Andy]

I figured out an alternative solution to my problem. Thanks guys!

[jeffgreco13]

Well?? tell us what you've come up with....

[Andy]

oh, i noticed cookies have nothing to do with ip address, and is purely about domain. so instead of giving my friend a subdomain, i'll just have him run a different webserver.