Effective Date/Issuing Authority
Effective Date:
November 27, 2024
Issuing Authority:
Office of Information Technology Services
Purpose
This document provides guidelines for using the Domain and Path attributes when setting web cookies to ensure secure and efficient cookie management. Correct use of these attributes prevents potential security breaches and performance degradation by restricting the scope of cookies to appropriate domains and paths within our organization’s web ecosystem.
Domain Attribute
The
Domain
attribute controls which domains can access the cookie. By default, this attribute is not set, limiting the cookie to the domain that created it.
Best Practice
-
Don’t set the
Domain
attribute at all.
-
If you chose to set it, set the
Domain
to the current host (e.g., subdomain.temple.edu).
-
Avoid
setting it to a higher-level domain like temple.edu.
-
Doing so would expose the cookie to all subdomains of temple.edu, meaning it would be included in every request to any page, file, or asset across those subdomains. This can lead to unnecessary data leakage and increased load on resources across multiple domains, risking performance issues and potential security breaches.
Path Attribute
The
Path
attribute defines the URL path for which the cookie is valid. It helps limit which parts of the site can access the cookie.
Best Practice
-
Use the
Path
attribute to restrict the cookie to the specific section of the site that requires it, rather than making it available site wide.
-
Example: Setting Path=/restricted-section/ ensures that the cookie is only sent when the user accesses this path.
Additional Reference
The following are references to specific cookie attribute settings from the MDN Web Docs (Mozilla Developers Network) and from Google:
Key Takeaways
-
Avoid broad
Domain
settings like temple.edu.
-
Limit the cookie's availability to necessary parts of the site using the
Path
attribute.
Proper use of these attributes minimizes exposure of cookie data, reduces risk, and ensures better performance across all Temple’s websites.