For our local development at work we all use the same fake domain – helps with setting API keys and other things across the board and isn’t hard to setup whatever system any new developer might have. It also happens to be not a “.com”: www.local.bnt – which is nice for not confusing it with real sites.
While developing cross-subdomain authentication we suddenly realised that it didn’t work on Opera. After a bit of research it turns out that it’s not the setting of the cookie path (“.local.bnt”) that is the problem, but the way Opera checks which part of the domain name is the top level domain:
“Here at Opera we went for the rule-of-thumb method: When Opera is checking a cookie whose target domain matches certain criteriea (e.g. it is not a .com domain), we do a DNS name lookup for the target domain, to see if there is an IP address for that domain. If there is an IP address for the domain (e.g. example.no) we assume that the domain is a normal company domain, not a co.uk like domain, and therefore safe. If there is no IP address we assume that the domain is co.uk-like and therefore unsafe, and only allows the cookie to be set for the server that sent the cookie.”
So that’s the problem right there and with an easy fix once you know the above… However the whole article is worth a read as it does shed some light on the multiple problems related to top level domains and cookies.
If you want to keep your random local domain name make sure your hosts file contains not only your sub domains, but the main one as well even if it is not used directly.