What is the purpose of Cookie's Domain and Path attributes? How to set them correctly?

The Domain and Path attributes of Cookies are used to control the scope of Cookies. Setting these attributes correctly is important for both security and functionality implementation.

Domain attribute

Purpose

• Specifies the valid domain for the Cookie
• Controls which subdomains can access the Cookie

Setting rules

javascript
// Current domain is www.example.com

// 1. No Domain set (default)
document.cookie = "token=abc";
// Only www.example.com can access

// 2. Set to current domain
document.cookie = "token=abc; Domain=www.example.com";
// Only www.example.com can access

// 3. Set to parent domain (with dot prefix)
document.cookie = "token=abc; Domain=.example.com";
// All subdomains can access (www.example.com, api.example.com, etc.)

// 4. Wrong example: set to different domain
document.cookie = "token=abc; Domain=other.com";
// Browser will ignore this setting

Important notes

• Domain must be the parent domain or the same domain as the current domain
• When setting parent domain, need dot prefix (.example.com)
• Cannot be set to a completely different domain

Path attribute

Purpose

• Specifies the valid path for the Cookie
• Controls which URL paths can access the Cookie

Setting rules

javascript
// Current domain is www.example.com

// 1. No Path set (default)
document.cookie = "token=abc";
// Only current path and its subpaths can access

// 2. Set to root path
document.cookie = "token=abc; Path=/";
// All paths under the entire domain can access

// 3. Set to specific path
document.cookie = "token=abc; Path=/api";
// Only /api and its subpaths can access (/api/users, /api/data, etc.)

// 4. Set to parent path
document.cookie = "token=abc; Path=/admin";
// Only /admin and its subpaths can access

Matching rules

• Cookie is only sent under the specified path and its subpaths
• Path matching is prefix matching
• More specific paths have higher priority

Combined usage examples

javascript
// Scenario 1: Site-wide Cookie
document.cookie = "theme=dark; Domain=.example.com; Path=/";

// Scenario 2: API-only Cookie
document.cookie = "apiToken=xyz; Domain=.example.com; Path=/api";

// Scenario 3: Admin backend specific Cookie
document.cookie = "adminToken=123; Domain=admin.example.com; Path=/admin";

Security considerations

1. Principle of least privilege

javascript
// Not recommended: too broad
document.cookie = "token=abc; Domain=.example.com; Path=/";

// Recommended: limit scope
document.cookie = "token=abc; Domain=api.example.com; Path=/api/v1";

1. Prevent Cookie leakage

• Sensitive Cookies should be limited to specific paths
• Avoid setting Cookies on static resource paths
• Use different paths for different functional Cookies

Real-world application scenarios

1. Single Sign-On (SSO)

javascript
// Set on authentication domain
document.cookie = "ssoToken=xyz; Domain=.example.com; Path=/";
// All subdomains share login status

1. Multi-environment isolation

javascript
// Development environment
document.cookie = "token=dev; Domain=.dev.example.com; Path=/";

// Production environment
document.cookie = "token=prod; Domain=.example.com; Path=/";

1. Functional module isolation

javascript
// User module
document.cookie = "userToken=abc; Path=/user";

// Payment module
document.cookie = "paymentToken=xyz; Path=/payment";