Sharing Cookie between different ports

Question

I have an application1(C#) that is hosted on port:80 and application 2(nodejs) that is hosted on port:3030. Both are on localhost.

The request workflow is as following:

• browsers sends request to application 1
• application 1 sends back number of cookies
• later on browser sends the request to application 2
• ^ problem is on the last step, the cookies doesnt get included in the request.

Things I have tried/understood:

• I understand that this is a same-origin policy restriction and because of different port # the browser treats them as different domains.

• In Application 1 (its using System.Web.HttpCookie) i have tried to set the domain to be port specific ("127.0.0.1:3030") but seems like the browser doesnt accept it or ignore it.

  //c# code
  var testCookie1 = new HttpCookie("Test", "testValue");
  testCookie1.Domain = "127.0.0.1:3030";
  testCookie1.Path = "/";
  testCookie1.Expires = DateTime.Now.AddDays(1);
  Response.SetCookie(testCookie1);
  
  var testCookie2 = new HttpCookie("Test2", "testValue2");
  testCookie2.Domain = "127.0.0.1";
  testCookie2.Path = "/";
  testCookie2.Expires = DateTime.Now.AddDays(1);
  Response.SetCookie(testCookie2);
  

The server sends back a cookie with the port number attached to it but the browser seems like it ignores it.

and here is my ajax calls:

   var request = $.ajax({
        url: 'http://127.0.0.1:3030/SomeTask',
        type: 'POST',
        crossDomain: true,
    });

Answer 1

Your domain is the same in this case localhost, so there shouldn't be any problem.

Another thing is: the port is part of an URI, not of a domain, the domain is also part of an URI, so you are mixing apples and fruits...

Please refer to this another question in SO

The rfc clearly states

Introduction

For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.

I didn't give a try myself.

In my job, we have to share cookies across subdomains (not ports) setting a dot in front of the domain

var testCookie1 = new HttpCookie("Test", "testValue"); testCookie1.Domain = "." + mydomain;

This way x.mydomain and y.mydomain will share cookies.

So, try not to set the port in the cookies, and use the name localhost instead the resolved ipaddress.

You can simulate production setting in your hosts file something like:

127.0.0.1   myawesomesubdomain.thisdomainnotexist.com.tr

and then set the cookie to that domain without the port

Answer 2

Here are a two different solutions you can try:

1. Run an Apache server and route the requests to either servers
2. Disable security( i.e., same origin policy) in the browsers.

Answer 3

In order to share cookies, your two apps should be on se same domain, like app1.myapp.com and app2.myapp.com, this way they both have access to myapp.com cookies.

You can emulate this in local, by setting :

127.0.0.1 app1.myapp.com
127.0.0.1 app2.myapp.com

in your host file located in C:\Windows\System32\drivers\etc or /etc/hosts