ASP.NET: Request cookies have null for domain?

When I examine my HttpContext.Current.Request.Cookies collection, some 开发者_运维问答of my cookies have null for their Domain member.

Why/when is a Domain null?

The domain property is only for setting cookies. Obviously, if you are reading the cookie as part of the request, the client browser felt that the domain was appropriately matched to your site.

By default, Cookies are associated with the current domain.

So if on site

www.foo.com

and you do the following:

HttpCookie appCookie = new HttpCookie("AppCookie");
appCookie.Value = "written " + DateTime.Now.ToString();
appCookie.Expires = DateTime.Now.AddDays(1);
Response.Cookies.Add(appCookie);

The domain will be

www.foo.com

.

However, you can override this functionality by setting the scope of the domain:

Response.Cookies["AppCookie"].Domain = "bar.foo.com";

The cookie will then only be available to requests in that specific subdomain.

So of course, you can set the Domain to NULL, but i cant envision a scenario where this would be useful.

Check how you are creating your cookies.

Reference: http://msdn.microsoft.com/en-us/library/ms178194.aspx

An HttpCookie's Domain member is null when the .Net Framework constructs an instance of the HttpCookie class, initializes its value from values stored in a runtime configuration file (system.web/httpCookies), and the member is not overwritten with another value (not specified). This unspecified value indicates the cookie should be sent by the user agent (usually a browser) to only the server that originated the cookie and no other.

According to the Internet proposed standard RFC6265 HTTP State Management Mechanism:

If the server omits the Domain attribute, the user agent will return the cookie only to the origin server.

WARNING: Some existing user agents treat an absent Domain attribute as if the Domain attribute were present and contained the current host name. For example, if example.com returns a Set-Cookie header without a Domain attribute, these user agents will erroneously send the cookie to www.example.com as well.

Th RFC does not define any specific value for unspecified, so implementors may choose whatever value or values they like. Microsoft chose to represent the Domain member as a string value, so either null or "" (String.Empty) represent unspecified, but the implicitly configured default value is null.

If you are receiving a cookie that has Domain value of null, it means the user agent processed the cookie, decided its origin matched the server it was sending the request to, and included the cookie data in the request's Cookie header. Likewise, if you are returning that cookie, you may expect to receive that cookie in another request only by the same host that is running your application.

In an ASP.Net application, if string.IsNullOrEmpty(cookie.Domain) is true, you may assume the user agent included the cookie in the request to the server it decided was the originating host, i.e. Request.Url.Host.