#StackBounty: #javascript #cookies cookie dupes to domain without dot prefix

Bounty: 500

I have this weird issue I cannot figure out, so I was hoping someone smarter than me could help!

I have a site https://example.com (no subdomain)

I have some code that sets a cookie, e.g.

var value="some value";
document.cookie="myCookie="+escape(value)+"; path=/; domain=example.com";

This code runs during page load in some script tag. When the page is first loaded, I see my cookie set, and in (chrome) dev tools > Application > Domain column, I see that it is set on .example.com with a leading dot, which is fine.

But then I refresh the page, and my code runs again (and there is a new value being pushed to the cookie; dunno if that matters). I look in the Application tab and I now see a “duplicate” entry for myCookie – one on .example.com and another on example.com (no leading dot). The values are the same. This is weird to me and I do not know why this is happening. Does anybody have any possible reasons for why this can happen?

Further down this rabbit hole.. I refresh the page again and the myCookie value on .example.com updates, but the one on example.com does not. More weirdness!

Meanwhile, I have other code that tries to read the cookie, but apparently the myCookie cookie on example.com takes precedence and I get that value, not the latest value (reflected in the .example.com cookie).

I have tried explicitly setting the cookie on .example.com (domain=.example.com) but the described behavior above still happens. Also, near as I can tell, there is no way for me in javascript to explicitly reference the cookie on .example.comdocument.cookie just shows the frontier.com one (but the dev tools Applications tab does show it? So is this exposed in javascript?)

I can’t provide a link to the site, but I can try to answer any questions someone might have to clarify.

But my main question is: can anybody explain possible reasons this might happen, or at least offer something that might point me in the right direction? Or failing that, alternatively some workaround to explicitly read from .example.com?


At this point, my best guess is something else on the site, likely server-side script, is duping the cookies over from .example.com to example.com but only if the values change. But this is pure speculation. I haven’t been able to find any client-side proof of this (yet..) and I don’t actually have access to server-side stuff. And this is probably grasping at straws anyways. But it’s my best working theory ATM to take back to the site devs to ask them about..

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.