Cookie collision: is it possible to distinguish between parent domain and subdomain cookies in Django and Javascript?

Question

I have built a bunch of Django websites at a single domain:

example.com
site1.example.com
site2.example.com
site3.example.com

They are supposed to be completely independent — used by different people for different purposes.

However cookies set by example.com are given priority by Django, and values set by site1.example.com, site2.example.com etc. are ignored if the parent domain has set a cookie with the same name.

How it works:

When the first page is loaded, it sets a cookie so the server knows to send a computer page or a mobile page with the next request.

The Django program builds the correct version based on the cookie value.

When site1.example.com loads, it sets a cookie asking for the mobile version. But then the Django program sees the value set by example.com and ignores the correct cookie.

So, I need a way to do one of the following:

prevent site1.example.com from reading the cookie of example.com
differentiate in Django the domain associated with the cookie so I can tell that the value is wrong
find a way to set a parent domain cookie in Javascript that makes it inaccessible to subdomains (I'm not using www)

If I can't find an elegant solution, I will likely end up changing the cookie name to vary with the domain name.

I know that I could use the session framework, but apart from this particular issue, everything works great. I would really like to avoid modifying my existing system, though obviously I will if I have to.

[update] Here is the cookie-setting function:

function setCookie(cname, cvalue, exdays) {

  var domain = window.location.hostname;


  if (exdays > 7) exdays = 7; // max in Safari

  var d = new Date();
  d.setTime(d.getTime() + (exdays*24*60*60*1000));

  var name = cname + '=' + cvalue + '; ';
  var expy = 'expires=' + d.toUTCString(); + '; ';
  var domn = '; domain=' + domain + '; ';
  var path = 'path=/; ';
  var secu = 'samesite=lax; secure;';

  var complete = name + expy + domn + path + secu;
  document.cookie = complete;
}

Does this help? https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-cookie-domain — , Mar 16 '22 at 15:44
Thanks, but I think that that applies only to the actual CSRF cookie, and wouldn't be applied to other cookies. — Andy Swift, Mar 16 '22 at 16:12

Abdul Aziz Barkat · Accepted Answer · 2022-03-20T09:22:53.717

Since you say the websites are supposed to be completely independent the 3rd solution you propose seems most sensible. You should not be setting cookies in such a way that they are accessible by subdomains. Currently you are specifying the domain in the cookie, you should be skipping the domain which would mean the cookie would only be sent for the current domain (At least in modern browsers, IE does not follow this specification). If a domain is specified in the cookie it means that the cookie would also be used for the subdomains.

As mentioned in RFC 6265 - section 4.1.2.3:

If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

Hence your cookie setting function should be like the following:

function setCookie(cname, cvalue, exdays) {
  // Domain should not be set unless cookie needs to be accessed by subdomains
  // var domain = window.location.hostname;


  if (exdays > 7) exdays = 7; // max in Safari

  var d = new Date();
  d.setTime(d.getTime() + (exdays*24*60*60*1000));

  var name = cname + '=' + cvalue + '; ';
  var expy = 'expires=' + d.toUTCString(); + '; ';
  // Domain should not be set unless cookie needs to be accessed by subdomains
  // var domn = '; domain=' + domain + '; ';
  var path = 'path=/; ';
  var secu = 'samesite=lax; secure;';

  var complete = name + expy + path + secu;
  document.cookie = complete;
}

Great answer. Can you add a link to a reference? – Andy Swift Mar 20 '22 at 08:49 — Andy Swift, Mar 20 '22 at 08:49
@AndrewSwift added a reference to RFC 6265. – Abdul Aziz Barkat Mar 20 '22 at 09:23 — Abdul Aziz Barkat, Mar 20 '22 at 09:23

score 0 · Answer 2 · answered Mar 16 '22 at 16:16

As a temporary fix, I added some code to my setCookie function:

  var domain = window.location.hostname;
  deleteParentCookieIfNecessary(name, domain);

deleteParentCookieIfNecessary contains:

function deleteParentCookieIfNecessary(name, domain){
  var parts = domain.split('.');
  if (parts.length > 2){ // on subdomain
    var domain = parts.slice(-2).join('.');
    document.cookie = cname + '=;domain=.' + domain + ';path=/;max-age=0';
  }
}

The result is that when the cookie is set, if the url is a subdomain then the parent-domain's cookie of the same name will be automatically deleted.

Cookie collision: is it possible to distinguish between parent domain and subdomain cookies in Django and Javascript?

How it works:

2 Answers2