CURLOPT_COOKIELIST.3: Explain Set-Cookie without a domain

Document that if Set-Cookie is used without a domain then the cookie is sent for any domain and will not be modified. Bug: http://curl.haxx.se/mail/lib-2015-05/0137.html Reported-by: Alexander Dyagilev
2025-03-13 15:37:04 +08:00 · 2015-05-25 17:27:53 -04:00 · 2015-05-25 17:27:53 -04:00 · b18a1654c1
commit b18a1654c1
parent 02dfc930b5
1 changed files with 7 additions and 0 deletions
--- a/docs/libcurl/opts/CURLOPT_COOKIELIST.3
+++ b/docs/libcurl/opts/CURLOPT_COOKIELIST.3
@ -36,6 +36,13 @@ Such a cookie can be either a single line in Netscape / Mozilla format or just
 regular HTTP-style header (Set-Cookie: ...) format. This will also enable the
 cookie engine. This adds that single cookie to the internal cookie store.

+If you use the Set-Cookie format and don't specify a domain then the cookie
+is sent for any domain and will not be modified. If a server sets a cookie of
+the same name (or maybe you've imported one) then both will be sent on a future
+transfer to that server, likely not what you intended. Either set a domain in
+Set-Cookie (doing that will include sub domains) or use the Netscape format as
+shown in EXAMPLE.
+
 Additionally, there are commands available that perform actions if you pass in
 these exact strings:
 .IP ALL