This article is a part of our Web Security Knowledge Base (back to index)

Why Loosely Scoped Cookie can be dangerous

The domain scope applied to a cookie determines which domains can access it. For example a cookie can be scoped strictly to a subdomain e.g., or loosely scoped to a parent domain e.g. In the latter case, any subdomain of can access the cookie.

How to fix Loosely Scoped Cookie

Always scope cookies to a Fully Qualified Domain Name.

How does ScanRepeat report Loosely Scoped Cookie

ScanRepeat analyzes every HTTP response by retrieving its cookies and then comparing their domain scope with the host domain. ScanRepeat reports every occurrence of loosely the scoped cookie along with the url of HTTP response.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free