Introduction
So, tell me, have you ever wondered what would happen if you one day decided to set a cookie with the same name with a domain specified and without a domain specified.
Why in the world would anyone do such a thing you ask? Because reasons!
Now the question is how does IIS and various different browsers behave when we some how find ourselves in this horrible mess of a situation?
To help test out what the exact behavior is I decided that I should put together a proof of concept that would help determine the behavior.
Introducing the Cookie Tester. For all of your useless cookie testing needs!
I created it so that we could see what cookies get set in various ways.
You are free to look at the code at github https://github.com/GeekGirl1024/cookie-tester
(I hacked this together so please do not judge me too harshly for the sloppy code!)
Setting Cookies with and without domains
Cookies without domains specified gets set with the specific current domain. So if the full domain for the page is subdomain.cookietester.com, that is the domain that gets set for the cookie if no domain is specified.
If cookies are set with a domain that domain gets used.
Setting Cookies with the same key on different domains
Now if you do sloppy coding it is possible to fall into this situation where you will have 2 copies of the same cookie and you need to know which one takes priority. Which is why I had my cookie tester able to show how if we set multiple cookies across different domains which ones will apply first.
According to the cookie tester for Chrome and Firefox, the cookies are read in a first in first out order.
But what happens for IE and Edge?
As you can see on Edge and IE the cookies are not read first in first out but the no domain cookies in this case www.cookietester.com domain cookies were given higher priority than the cookies set with the domain cookietester.com.
Conclusion
Neither of these are wrong behaviors, it is just a lack of specifics within the standards. And the people writing the standards just never thought to specify this…
And really, there is no reason to specify this behavior because no one is silly enough to do this… Right?