Can $_COOKIE ever contain cookies set by another domain?

Question

Suppose I have a website www.mysite.com.

Can the $_COOKIE array ever contain cookies that were set by domains other than www.mysite.com , if I am using $_COOKIE via PHP code on the domain www.mysite.com ?

My understanding (which is quite limited!) is that a domain can only access cookies that it set itself, which means that $_COOKIE could only contain cookies which were set by the domain. Is this correct?

Answer 1

No. Only a nonfunctional browser would do such a thing.

Only the client can view all the cookies for all separate domains, the browser makes sure to send only the cookies related to the current domain and non other.

Answer 2

确切地说， $_COOKIE只能访问由他的域名设置的cookie。

Answer 3

It is possible but only for subdomains to share some cookies, by using '.domain.com' instead 'domain.com' .

Across different domains, like domain1.com and domain2.com is not possible.

Answer 4

The http request sent to your server from browser will contain the cookies that you have placed in the browser. Accessing a cookie that does not belong to your domain will be a malicious activity, giving rise to security issues.

• cookie stealing/session hijacking is a type of attack that is used to steal an active session of another user.
• After a user logs in to a website, a cookie is stored on the computer so that every time he goes to a different page on that site, re-authentication is not needed.
• If someone gets a hold of someone else's cookies and add them in the browser, then attacker's stored username/password combo or session ID becomes the same as victim's, therefore authenticating the attacker on a website as someone else (the victim), without having to know their credentials.