The Domain and Path attributes of Cookies are used to control the scope of Cookies. Setting these attributes correctly is important for both security and functionality implementation.
Domain attribute
Purpose
- Specifies the valid domain for the Cookie
- Controls which subdomains can access the Cookie
Setting rules
// Current domain is www.example.com // 1. No Domain set (default) document.cookie = "token=abc"; // Only www.example.com can access // 2. Set to current domain document.cookie = "token=abc; Domain=www.example.com"; // Only www.example.com can access // 3. Set to parent domain (with dot prefix) document.cookie = "token=abc; Domain=.example.com"; // All subdomains can access (www.example.com, api.example.com, etc.) // 4. Wrong example: set to different domain document.cookie = "token=abc; Domain=other.com"; // Browser will ignore this setting
Important notes
- Domain must be the parent domain or the same domain as the current domain
- When setting parent domain, need dot prefix (.example.com)
- Cannot be set to a completely different domain
Path attribute
Purpose
- Specifies the valid path for the Cookie
- Controls which URL paths can access the Cookie
Setting rules
// Current domain is www.example.com // 1. No Path set (default) document.cookie = "token=abc"; // Only current path and its subpaths can access // 2. Set to root path document.cookie = "token=abc; Path=/"; // All paths under the entire domain can access // 3. Set to specific path document.cookie = "token=abc; Path=/api"; // Only /api and its subpaths can access (/api/users, /api/data, etc.) // 4. Set to parent path document.cookie = "token=abc; Path=/admin"; // Only /admin and its subpaths can access
Matching rules
- Cookie is only sent under the specified path and its subpaths
- Path matching is prefix matching
- More specific paths have higher priority
Combined usage examples
// Scenario 1: Site-wide Cookie document.cookie = "theme=dark; Domain=.example.com; Path=/"; // Scenario 2: API-only Cookie document.cookie = "apiToken=xyz; Domain=.example.com; Path=/api"; // Scenario 3: Admin backend specific Cookie document.cookie = "adminToken=123; Domain=admin.example.com; Path=/admin";
Security considerations
- Principle of least privilege
// Not recommended: too broad document.cookie = "token=abc; Domain=.example.com; Path=/"; // Recommended: limit scope document.cookie = "token=abc; Domain=api.example.com; Path=/api/v1";
- Prevent Cookie leakage
- Sensitive Cookies should be limited to specific paths
- Avoid setting Cookies on static resource paths
- Use different paths for different functional Cookies
Real-world application scenarios
- Single Sign-On (SSO)
// Set on authentication domain document.cookie = "ssoToken=xyz; Domain=.example.com; Path=/"; // All subdomains share login status
- Multi-environment isolation
// Development environment document.cookie = "token=dev; Domain=.dev.example.com; Path=/"; // Production environment document.cookie = "token=prod; Domain=.example.com; Path=/";
- Functional module isolation
// User module document.cookie = "userToken=abc; Path=/user"; // Payment module document.cookie = "paymentToken=xyz; Path=/payment";