-2

Say I have a service that has two domains

app.myapp.com
api.myapp.com

My app does the whole OAuth/OpenID flow.

app.myapp.com/oauth
app.myapp.com/oauth/callback

In the /callback I set the accessToken as an http-only cookie on the current domain (app.myapp.com).

I have an assortment of microservices that live on api.myapp.com, all of which require an accessToken to work.

In the /callback stage of the OAuth flow, can I specify the other domain in my http-only cookie?

I am using Go + Gin

c.SetCookie(
    "accessToken", 
    accessToken, 
    3600, 
    "/", 
    "", 
    false, 
    true,
)
David Alsh
  • 6,747
  • 6
  • 34
  • 60
  • 1
    Possible duplicate of [How to set a cookie for another domain](https://stackoverflow.com/questions/6761415/how-to-set-a-cookie-for-another-domain) – Jonathan Hall Mar 10 '19 at 09:32
  • 1
    If it's not possible to set the cookie on the second domain, how would you solve the above issue? – David Alsh Mar 10 '19 at 10:50

1 Answers1

1

Well, it depends. In general, no, you cannot set cookies for a different domain.

But you can set cookies for all subdomains of a domain you "control" (read RFC 6265 and publicsuffix.org for details) by setting the Domain attribute of a cookie.

Volker
  • 40,468
  • 7
  • 81
  • 87