Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're not using separate domains then I hope you don't have any kind of sensitive information stored in cookies. You can't rely on the path restrictions for cookies because it's easily bypassed.


You can set cookies that strictly stay on the root domain and don't cross to subdomain origins, and vise versa (https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Coo...). We've been doing this for 12 years without issue.

Strict cookies crossing root to subdomains would be a major security bug in browsers. It's always been a (valid) theoretical concern but it's never happened on a large scale to the point I've had to address it. There is likely regression testing on all the major browsers that will catch a situation where this happens.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: