I can't say for certain why this bug is exposed by NYTimes; however, I saw a comment on HN about trailing dots on domain names[1] being a browser implementation quirk.
The author of that article suggests that NYTimes may have misconfigured their Apache VirtualHost.
Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.
If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.
> Based on what you are saying though, you lead me to believe that the NYTimes wants this behavior to occur, which I doubt.
Not at all. We wouldn't expect reddit.com. to share cookies with news.ycombinator.com. The browser enforces that hard separation between the 2 domains with respect to access to cookies and such.
Thats the same split with nytimes.com and nytimes.com. . The browser sees them as 2 distinct domains, and will absolutely not let cookies cross.
> If they want to paywall access to their site but adding a dot to the domain causes it to be bypassed, then it is misconfigured in some way, regardless of cookies.
It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.
Going to their FQDN is a 'different domain' with respect to the browser and its cookie store. So its only logical that you start 'fresh' (aka: no cookie history). And there's nothing that I know of that can allow cookie sharing... Then again I do systems administration.
>It's their choice (nytimes) to not do a paywall for a 'new potential customer'. And that data is stored in cookies. You can simulate that by purging all nytimes cookies and you can access as no initial paywall.
Thank you for clarifying. I hadn't considered that NYTimes may not show paywall for a 'new potential customer' since I am all to familiar with their paywall.
I really feel like it's just a matter of time where they require an account to read the articles and only provide snippets to those who are beyond there free limit.
If you've ever administered BIND, you'll note that you need to add a ending . to A records. Thats the FQDN.
Now, our browsers link cookies to domain. And interestingly enough (example.com)!=(example.com.)
That's why sites like nytimes.com. gets around the paywall, because you don't have a cookie history with that site.