Posted by Chris Shiflett on 03/18/05 04:06

Brian Dunning wrote:
> I've always known that you can specify a domain when you set a cookie,
> and for kicks I experimented with a test page setting a cookie for the
> yahoo.com. Seems to me that browsers wouldn't allow this as it could
> create any number of security problems.

This is why the specification mentions, "Only hosts within the specified
domain can set a cookie for a domain."

> Question: why didn't this work, is it supposed to work the way I was
> trying, and if not, then what is that domain variable there for?

It allows you to specify the domain for which the cookie is valid. When
a browser makes a request, it checks for cookies to be included in the
Cookie header. Only those that meet the requirements (domain, path,
expiry, etc.) are included.

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

[Back to original message]