Are HTTP cookies port specific

Question

I have two HTTP services running on one machine  I just want to know if they share their cookies or whether the browser distinguishes between the two server sockets

User · Answer

According to RFC2965 3 3 1  which might or might not be followed by browsers   unless the port is explicitly specified via the port parameter of the Set-Cookie header  cookies might or might not be sent to any port   Google s Browser Security Handbook says  by default  cookie scope is limited to all URLs on the current host name - and not bound to port or protocol information  and some lines later There is no way to limit cookies to a single DNS name only       likewise  there is no way to limit them to a specific port   Also  keep in mind  that IE does not factor port numbers into its same-origin policy at all    So it does not seem to be safe to rely on any well-defined behavior here

User · Answer

It s optional   The port may be specified so cookies can be port specific  It s not necessary  the web server   application must care of this   Source  German Wikipedia article  RFC2109  Chapter 4 3 1

User · Answer

This is a really old question but I thought I would add a workaround I used   I have two services running on my laptop  one on port 3000 and the other on 4000   When I would jump between  http   localhost 3000 and http   localhost 4000   Chrome would pass in the same cookie  each service would not understand the cookie and generate a new one      I found that if I accessed http   localhost 3000 and http   127 0 0 1 4000  the problem went away since Chrome kept a cookie for localhost and one for 127 0 0 1   Again  noone may care at this point but it was easy and helpful to my situation

User · Answer

In IE 8  cookies  verified only against localhost  are shared between ports  In FF 10  they are not    I ve posted this answer so that readers will have at least one concrete option for testing each scenario

User · Answer

I was experiencing a similar problem running  and trying to debug  two different Django applications on the same machine    I was running them with these commands     manage py runserver 8000   manage py runserver 8001   When I did login in the first one and then in the second one I always got logged out the first one and viceversa   I added this on my  etc hosts  127 0 0 1    app1 127 0 0 1    app2   Then I started the two apps with these commands     manage py runserver app1 8000   manage py runserver app2 8001   Problem solved

User · Answer

This is a big gray area in cookie SOP  Same Origin Policy    Theoretically  you can specify port number in the domain and the cookie will not be shared  In practice  this doesn t work with several browsers and you will run into other issues  So this is only feasible if your sites are not for general public and you can control what browsers to use   The better approach is to get 2 domain names for the same IP and not relying on port numbers for cookies

User · Answer

The current cookie specification is RFC 6265  which replaces RFC 2109 and RFC 2965  both RFCs are now marked as  Historic   and formalizes the syntax for real-world usages of cookies   It clearly states         Introduction                  For historical reasons  cookies contain a number of security and privacy infelicities   For example  a server can indicate that a given cookie is intended for  secure  connections  but the Secure attribute does not provide integrity in the presence of an active network attacker   Similarly  cookies for a given host are shared across all the ports on that host  even though the usual  same-origin policy  used by web browsers isolates content retrieved via different ports    And also      8 5   Weak Confidentiality      Cookies do not provide isolation by port   If a cookie is readable by a service running on one port  the cookie is also readable by a service running on another port of the same server   If a cookie is writable by a service on one port  the cookie is also writable by a service running on another port of the same server   For this reason  servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security sensitive information

User · Answer

An alternative way to go around the problem  is to make the name of the session cookie be port related  For example    mysession8080 for the server running on port 8080 mysession8000 for the server running on port 8000   Your code could access the webserver configuration to find out which port your server uses  and name the cookie accordingly   Keep in mind that your application will receive both cookies  and you need to request the one that corresponds to your port   There is no need to have the exact port number in the cookie name  but this is more convenient   In general  the cookie name could encode any other parameter specific to the server instance you use  so it can be decoded by the right context

[security] Are HTTP cookies port specific?

Examples related to security

Examples related to http

Examples related to cookies