Does a session cookie on different subdomain count as 3rd-party?

RossJ picture RossJ · Apr 10, 2012 · Viewed 10.5k times · Source

Suppose I have a site at www.example.com which has an IFRAME pointing to ASP.NET site myapp.othersite.com - this causes issues with session and 3rd-party cookies which I understand.

If I moved the embedded app to myapp.example.com, would the session cookie still count as a 3rd-party cookie as it is a different subdomain?

Answer

Bewusstsein picture Bewusstsein · Apr 21, 2015

Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk), but not if they come from different subdomains of the same base domain.

myapp.example.com will be able to set cookies with domain myapp.example.com if it is embedded within www.example.com.

Having myapp.example.com set cookies with domain .example.com is unnecessary unless those cookies need to be read from a different subdomain.

[Tested in Firefox, Chrome (with 3rd party cookies blocked) and Safari] [ThirdPartyUtil.IsThirdPartyInternal seems to be where this is checked in Firefox]