CookieDomain — set domain common to all servers providing Interchange content
The directive specifies the domain common to all servers providing Interchange content.
By default, the session ID cookie domain is set to the hostname
you're accessing. For example, if you access the catalog using
server myhost.mydomain.local
, then cookie will be set by
myhost.mydomain.local
.
Things, however, go bad if you use more Interchange servers
(in a non-transparent way for the user) to provide content.
For example, if SSL content was served from host
ssl.mydomain.local
, then users would have one
session for myhost.mydomain.local
and another for
ssl.mydomain.local
. This is undesired, of course.
To fix the described problem, we need to find part of the
FQDN that is common to all servers (mydomain.local
in our example), and add it as the
domain=
parameter to the
Set-Cookie
directive that we send off to users'
browsers. That's what the CookieDomain
does.
CookieDomain
accepts a space-separated list of domains to set
cookies for, in which case the Set-Cookie: ...
is sent to the client for each of the specified domains. Due to the cookie
restrictions described in the section called “NOTES”,
specifying multiple domains is only rarely (if ever?) needed and
possible to implement.
The cookie specification mandates that the domain part must contain
at least two fields (or 1 dot lying in between). The value
of .mydomain.local
is valid, but .local
wouldn't be.
Furthermore, cookie source can only be the FQDN of the host itself, or
some of the subdomains, or domain it belongs to. Browsers will ignore
all cookies that do not satisfy this requirement. Host
myhost.mydomain.local
can set a cookie for itself or the
domain mydomain.local
, but it cannot set a cookie
for say, mydomain.local2
. It is very fortunate we
have this protection, or unrelated sites would read and set each other's
cookies — something we definitely don't want to happen!
At least in Mozilla-like browsers, the domain is prefixed with a
dot even if you omit it in the CookieDomain
specification
(mydomain.local
ends up being the same as
.mydomain.local
).
For a complete discussion on cookies, see cookie glossary entry.