Can I use localhost as the domain when setting an HTTP cookie?

Question

I am using a jQuery plugin to set cookies and when I use localhost for the domain it will not store the cookie.

Here is the plugin I am using with jQuery 1.2.6.

http://www.stilbuero.de/2006/09/17/cookie-plugin-for-jquery/

Below is the code that I am using. You can see it does not like localhost, and I am running it from a development web server on localhost. One detail is that I am running off port 4005 but that should not affect the domain, AFAIK.

$(function() {

    console.log('Testing');

    var one = $.cookie('Test.One');
    var two = $.cookie('Test.Two');
    var three = $.cookie('Test.Three');

    console.log(['one', one]);
    console.log(['two', two]);
    console.log(['three', three]);

    $('#div1').text(one);
    $('#div2').text(two);
    $('#div3').text(three);

    $.cookie('Test.One', 'Test 1');
    $.cookie('Test.Two', 'Test 2', { path: '/' });
    $.cookie('Test.Three', 'Test 3', { path: '/', domain: 'localhost' });

});

score 33 · Accepted Answer · answered Jan 28 '09 at 21:11

33

I had similar problem with setting cookies. Make up a domain name and add it to your hosts file as 127.0.0.1. Then run web application on that domain.

answered Jan 28 '09 at 21:11

empi

15,755
8
62
78

Yep, I should read this post instead of lost 2 hours ;-) "localhost" is definitively a not good value ! – Thomas Decaux Aug 13 '12 at 13:03
2

Just use "lvh.me". This domain name already pointed to 127.0.0.1 – M_R_K Dec 12 '16 at 02:15

score 13 · Answer 2 · edited Oct 07 '21 at 05:49

13

I think the domain name of a cookie must have exactly two dots (not counting the final dot after the TLD). So .something.localhost is okay, .google.com is okay, but .localhost or google.com is not. But a glance at RFC 2965 suggests that it's more complicated than that... you might want to read that document, especially section 3.3 (and/or its precursor, RFC 2109).

edited Oct 07 '21 at 05:49

Community

1
1

answered Jan 28 '09 at 21:28

David Z

128,184
27
255
279

4

Really? I thought you could set cookies for, say, example.com, and that they’d get sent to all example.com domains (e.g. www.example.com, actually-we-didnt-need-the-cookie-here-but-you-sent-it-anyway-what-a-waste-of-bandwidth-eh.example.com) – Paul D. Waite Jan 31 '10 at 07:26
Well a relevant part is this: _`A Set-Cookie2 from request-host example for Domain=.local will be accepted, because the effective host name for the request-host is example.local, and example.local domain-matches .local.`_ It only needs to accept .localhost. instead of .local. – Nicolay77 May 13 '15 at 18:25
Note that while set-cookie2 is obsolete, it lives on in Java's HTTPCookie, which is how I got here. And that means +1B devices affected by this. – Roy Falk Aug 05 '18 at 12:39

score 12 · Answer 3 · answered Jan 29 '09 at 16:05

12

I updated the jQuery plugin to not add the domain to the cookie when it is localhost. That solves my problem without touching the hosts file.

var domain = (options.domain && options.domain !== 'localhost') ? '; domain=' + (options.domain) : '';

answered Jan 29 '09 at 16:05

Brennan

11,546
16
64
86

score 6 · Answer 4 · answered Jan 31 '10 at 06:45

6

I'm using Code Ignitor, and setting the domain to an empty string fixed my problem while working on the application on localhost. I believe this is the better solution as everyone in the development team then doesn't need to mess with their hosts files on Windows.

Production domain values can be put in the config.php of Code Ignitor when deployed on a live site.

answered Jan 31 '10 at 06:45

Jaffer

745
1
9
20

+1 this works *and* is flexible across different dev machine. For me, this looks like... document.cookie = "MyCookie=" + yourCookieValueHere + ";domain="; – StarTrekRedneck Oct 22 '10 at 16:34

score 5 · Answer 5 · answered Jan 28 '09 at 21:21

5

I tried setting the host file to use an alternate name (local.acme.com) and I can now set cookies on that domain. It seems I cannot set cookies on localhost, at least not with Firefox. I do not recall that being a restriction for cookies. I would like to understand what is going on here.

Also, I did try just making the domain in the hosts file simply "dev" but that did not work. I had to use a name that ended in .com or another tld to make it work.

answered Jan 28 '09 at 21:21

Brennan

11,546
16
64
86

yes, it works only with fully qualified domain names. i guess it has to do with the need of setting same cookie for more than one domain name, e.g. www1.domain.com, www2.domain.com, so you need to set the cookie with domain .domain.com. – empi Jan 28 '09 at 21:35
1

As I pointed out in my answer, the RFC states that it has to do with the number of dots in the domain name, not whether it's fully qualified or not. – David Z Jan 28 '09 at 21:45

score 3 · Answer 6 · answered Oct 26 '10 at 18:31

3

Simplest solution for me to resolve this was to use 127.0.0.1 instead of localhost ;-) That works fine in Firefox!

answered Oct 26 '10 at 18:31

Mike

31
1

score 0 · Answer 7 · answered Sep 19 '20 at 04:54

Cookie needs to specify SameSite attribute, None value used to be the default, but recent browser versions made Lax the default value to have reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks.

Along with Domain=localhost your cookie should look something like this

document.cookie = `${name}=${value}${expires}; Path=/; Domain=localhost; SameSite=Lax`;

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Can I use localhost as the domain when setting an HTTP cookie?

7 Answers7

Linked