1

Looking for some input on cookies and subdomain, I have already read [1][2] and [3].

If I set a cookie's domain to ".live.example.com"

Will the cookie be available to api.live.example.com?

I believe the answer is Yes.

Will the cookie be available to uat.example.com?

I believe the answer is No.

Additional Cookie Attributes will be set, these should be irrelevant, but I will mention in case someone sees them as relevant:

httpOnly - enabled

Secure - enabled

Expires - end of session

Under what conditions would the cookie not be sent to api.live.example.com (site has a valid SSL certificate, relevant if someone suggests site not in SSL mode as secure flag is set)?

Why do I ask this second question?

I have previously set a cookie to ".example.com". The cookie did not send to api.example.com via XMLHTTPRequest (js loaded from www.example.com), but opening another browser tab and doing a GET request to api.example.com the cookie is sent. Therefore, browser is making some decision here.

Have I read anything already?

Yes, I have reviewed the following question on stackoverflow, and also read RFC6265 sections 5.1.3 and 5.2.3. Nothing I have read suggests the approach will not work:

[1] Existing stackoverflow question - Cookies Subdomains Share cookie between subdomain and domain

[2] RFC State Management - Domain Matching https://www.rfc-editor.org/rfc/rfc6265#section-5.1.3

[3] RFC State Management - Domain Attribute https://www.rfc-editor.org/rfc/rfc6265#section-5.2.3

Community
  • 1
  • 1
Darragh
  • 93
  • 5
  • 1
    _“The cookie did not send to api.example.com via XMLHTTPRequest”_ - then you likely did not specify the request attribute necessary to send credentials such as cookies with cross-domain requests ... – CBroe Feb 05 '18 at 14:15
  • _"then you likely did not specify the request attribute necessary to send credentials"_ Can you be more specific please? – Darragh Feb 05 '18 at 14:25
  • @CBroe are you referring to : https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials – Darragh Feb 05 '18 at 14:28
  • 1
    Yes, I am. You need to explicitly specify that you want to send such credentials with a cross-domain request. – CBroe Feb 05 '18 at 14:30
  • @CBroe - thank you - Yes this was missing. I will confirm. – Darragh Feb 05 '18 at 14:34
  • @CBroe just tested and yes this fixed the question regarding: _“The cookie did not send to api.example.com via XMLHTTPRequest”_ – Darragh Feb 05 '18 at 14:37
  • 1
    Regarding your first two Yes/No questions, you’re correct on those. – CBroe Feb 05 '18 at 14:38

1 Answers1

1

I can confirm I have created a test case to answer these questions:

Will the cookie be available to api.live.example.com?

The Answer is YES.

Will the cookie be available to uat.example.com?

The Answer is NO.

As noted by @CBroe, for XMLHTTPRequests, the withCredentials flag must be set to true [1].

And, in case anyone asks the question what about "www.example.com"

Will the cookie be available to www.example.com?

Hopefully, it is obvious from the previous question / answer.

No, the cookie will not be available to www.example.com

[1] XMLHTTPRequest withCredentials.

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

Darragh
  • 93
  • 5