You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: 6-data-storage/01-cookie/article.md
+13-9Lines changed: 13 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -102,32 +102,36 @@ It's a safety restriction, to allow us to store sensitive data in cookies that s
102
102
103
103
By default, a cookie is accessible only at the domain that set it.
104
104
105
-
...What's tricky, we won't get the cookie at a subdomain `forum.site.com`!
105
+
Please note, by default a cookie is also not shared to a subdomain as well, such as `forum.site.com`.
106
106
107
107
```js
108
-
// at site.com
108
+
//if we set a cookie at site.com website...
109
109
document.cookie="user=John"
110
110
111
-
// at forum.site.com
111
+
//...we won't see it at forum.site.com
112
112
alert(document.cookie); // no user
113
113
```
114
114
115
-
...But if we'd like to allow subdomains like `forum.site.com` to get a cookie, that's possible. When setting a cookie at `site.com`, we should explicitly set the `domain` option to the root domain: `domain=site.com`:
115
+
...But this can be changed. If we'd like to allow subdomains like `forum.site.com` to get a cookie set at `site.com`, that's possible.
116
+
117
+
For that to happen, when setting a cookie at `site.com`, we should explicitly set the `domain` option to the root domain: `domain=site.com`. Then all subdomains will see such cookie.
118
+
119
+
For example:
116
120
117
121
```js
118
122
// at site.com
119
123
// make the cookie accessible on any subdomain *.site.com:
For historical reasons, `domain=.site.com` (a dot before `site.com`) also works the same way, allowing access to the cookie from subdomains. That's an old notation and should be used if we need to support very old browsers.
132
+
For historical reasons, `domain=.site.com` (with a dot before `site.com`) also works the same way, allowing access to the cookie from subdomains. That's an old notation and should be used if we need to support very old browsers.
129
133
130
-
So, the `domain` option allows to make a cookie accessible at subdomains.
134
+
To summarize, the `domain` option allows to make a cookie accessible at subdomains.
131
135
132
136
## expires, max-age
133
137
@@ -180,7 +184,7 @@ With this option, if a cookie is set by `https://site.com`, then it doesn't appe
180
184
// assuming we're on https:// now
181
185
// set the cookie to be secure (only accessible over HTTPS)
182
186
document.cookie="user=John; secure";
183
-
```
187
+
```
184
188
185
189
## samesite
186
190
@@ -247,7 +251,7 @@ But anything more complicated, like a network request from another site or a for
247
251
248
252
If that's fine for you, then adding `samesite=lax` will probably not break the user experience and add protection.
0 commit comments