JWT vs Cookies (Sessions) for WhiteLabeled Web App - Prevent CORS and 3rd Party Cookie Issues

Question

Overview

So I have a web application (Node.JS/React/GraphQL/PostreSQL) and I'm switching from Auth0 to in-house (custom) authorization/authentication for my user base. The big catch here is the application can be 100% white-labeled for companies (including unique domains). The reason I'm switching is because Auth0 can't handle issues with 3rd party cookies so any white-labeled client with their own URL can't authorize via Auth0 in some browsers where 3rd party cookies are disabled (due to domain differences).

JWT vs Cookies

So I have two ways to Authenticate users when they interact with the application/API. I can either use traditional cookies an "session ids" or the more modern JWT. Since Auth0 gave me such problems authenticating when the API was a "api.myapp.com" domain but client (browser) was rendered over a "my.whitelabel.com" domain, I'm afraid if I go the traditional cookie route I'm going to have the same issues. JWT seems more versatile for CORS issues, while cookies seems more rigid and problematic for white-labeled solution.

Why I Prefer Cookies

While the rigid nature of cookies presented a CORS issue with Auth0, that tech is more secure (or so it seems) and the ability to end a session immediately with malicious actors is very attractive to me.

Any advice on which I should explore... can cookie authentication handle white-labeled applications?

Answer 1

Cookies can still work great for white-labelled apps. Your web server will likely need to rewrite the Set-Cookie header (on the way back to the client) so that it uses the white-label domain in place of the host of your server.

If you're doing that rewrite, you could handle white-labelling for subdomains as well as root domains.

Source: I run appmasker.com which basically is a managed proxy server that handles these types of white-labelling problems.