http - Domain set cookie for subdomain

Question

I looked in many questions about cookies but I didn't find an answer on my problem. I have following scenario:

A user creates a login on example.com and should get a cookie but only for the subdomain fuu.example.com. I generate following HTTP header part:

Set-Cookie: name=TestUser; Domain=fuu.example.com; Path=/; secure; HttpOnly 

But when I make a request to https://fuu.example.com, the cookie will be not added to the request. I wonder if it is possible that example.com sets a cookie for fuu.example.com. I know that it is possible that example.com set a cookie for .example.com also for all subdomains for example.com but that's not what I want.

How do I set a cookie for a subdomain? I am not seeing the cookie in a request to the subdomain.

Answer 1

No. Besides that fuu.example.com is an invalid Domain value (it must start with a ., i.e. .fuu.example.com) (see update below) the cookie would get rejected:

To prevent possible security or privacy violations, a user agent rejects a cookie (shall not store its information) if any of the following is true:

• The request-host is a Fully-Qualifed Domain Name (not IP address) and has the form HD, where D is the value of the Domain attribute, and H is a string that contains one or more dots.

The request-host is example.com and the Domain attribute value is foo.example.com. But the request-host example.com does not has the form HD where D would be foo.example.com. Thus the cookie gets rejected.

---

Update????The current specification RFC 6265, that obsoleted RFC 2109 that is quoted above, does ignore the leading dot. But the effective domain is handled the same:

[…] if the value of the Domain attribute is "example.com", the user agent will include the cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.corp.example.com. (Note that a leading %x2E ("."), if present, is ignored even though that character is not permitted, but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute.)

[…] the user agent will accept a cookie with a Domain attribute of "example.com" or of "foo.example.com" from foo.example.com, but the user agent will not accept a cookie with a Domain attribute of "bar.example.com" or of "baz.foo.example.com".