Which cookie attributes uniquely identify a cookie?

2
votes

I'm trying to determine scenarios in which a cookie returned by HTTP server overwrites an existing cookie vs. sets a new cookie.

Say foo.example.com sets a cookie:

Set-Cookie: SSID=abc; Domain=.example.com; Path=/abc; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly

Which attributes bar.example.com needs to set in order to overwrite this cookie and not create a new one? In particular, will following response header overwrite the original cookie:

Set-Cookie: SSID=xyz; Domain=.example.com; Expires=Wed, 13-Jan-1990 22:23:01 GMT;

Is the behavior consistent across browsers?

1
securityhttpweb-applicationscookies

1 Answers

2
votes

According to RFC 6265:

If the user agent receives a new cookie with the same cookie-name, domain-value, and path-value as a cookie that it has already stored, the existing cookie is evicted and replaced with the new cookie.

This statement was in RFCs for more than 10 years and only changed in wording slighly, so I suppose this behaviour is consistent across all browsers.

In your example, the two cookies have different path (the second assumes '/' by default), so they will be treated as different cookies. For pages in the path from the first cookies there will be two cookies with the same name, so they are processed by a browser according to the RFC as follows:

If multiple cookies satisfy the criteria above, they are ordered in the Cookie header such that those with more specific Path attributes precede those with less specific.