On the server I'm using express.js and in the browser I'm using the fetch API. I send a cookie using the default domain and the browser sets it properly and sends it with subsequent requests. But when I set the domain to the parent domain, the cookie does not get set. My understanding is that it should.
Suppose my code is being served from "my.example.com" port 8080. Then my server code would look like this:
response.cookie("token",token,{
encode:String,
domain:".example.com",
expires: new Date(Date.now()+86400000000),
secure:false}
)
On the client my code looks like this:
fetch("/login", {
credentials: "include", // also tried "same-origin"
mode:"cors", // also tried omitting
headers:new Headers( {
// authentication data is here
})
})
At first I thought it was the fact that it was the parent domain, but if I use any domain it seems that the cookies does not get saved.
So none of the following gets saved on the client:
domain:".example.com",
domain:".example.com:8080",
domain:"my.example.com",
domain:"my.example.com:8080",
But if I omit "domain", then it does get saved.
And to be clear, when I look at the reply in Chrome developer tools, I see the cookie was received - it just isn't getting saved for some reason.
I need to be able to set this cookie for any sub-domain from any other sub-domain. From what I have read a.example.com should have no problem setting a cookie to .example.com so that b.example.com can use it.
Update: I also tried using XMLHttpRequest, and get the same behavior!
Update 2: I also am not able to set the cookie directly from javascript with a parent domain, e.g. this works:
document.cookie=("token=<...>; Domain=my.example.com; Path=/")
but this does not:
document.cookie=("token=<...>; Domain=.example.com; Path=/")
From everything I have read, this line should work, yet it is not working for me. Am I correct in thinking there should be no problem here? If so, how can I troubleshoot why this is failing to set the cookie? Things I have already tried:
my.example.com points to 127.0.0.1. Made it point to another non-localhost address, did not fix the issue.
my.example.com was actually not a .com address or one of the other 5 hard-coded addresses for which only one dot is allowed. Made it point to a .com address, did not fix the issue.
Maybe setting the cookie from the console for testing purposes doesn't work. Tried all my changes directly from javascript code loaded from the server, did not fix the issue.
Maybe the order of the headers is important. Moved the path before the domain
Maybe case is important. Changed "path" and "domain" to all lower case. Did not fix the problem.
Maybe "path" doesn't need to be there. Removing it did not fix the problem.
Removed whitespace from between elements of the cookie. No effect.
Maybe there is a strange character confusing things that needs to be encoded. Checked and there are only alpha-numeric keys in the token. Cookie length is only about 100 bytes total, well under the maximum, since there is only one cookie.
Maybe there is something weird about my domain name that the browser doesn't like not covered in the above. So I went to www.example.com, opened up the console and entered:
document.cookie="token=1; domain=.example.com; path=/"
AND IT WORKED!. However, I am mystified by what possible difference there is between my .com address and example.com! My domain is not of the form www.myhostname.com, but I can't see anything which says that the sub-domain must be "www". Is it possible there is something in the browser that is blacklisting or otherwise treating certain domains differently? (It's from a dynamic DNS hosting site, although I can't see how that could make a shred of difference as the IP address is actually never changing and has a really long TTL.)
- My server is running on port 8080, not port 80. I switched it to run only port 80 to see if that would make any difference. It did not.
