The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

When the application residing at 

foo.wahh-app.com

sets a cookie, the browser

will by default resubmit the cookie in all subsequent requests to 

foo.wahh-

app.com

, and also to any subdomains, such as 

admin.foo.wahh-app.com

. It will

not submit the cookie to any other domains, including the parent domain 

wahh-

and any other subdomains of the parent, such as 

bar.wahh-app.com

.

A server can override this default behavior by including a 

attribute

in the 

Set-cookie

instruction. For example, suppose that the application at

foo.wahh-app.com

returns the following HTTP header:

Set-cookie: sessionId=19284710; domain=wahh-app.com;

The browser will then resubmit this cookie to all subdomains of 

wahh-app.com

,

including 

.

N OT E