How do you sandbox cookies between prod, staging and dev environments?

Question

We have several web applications across multiple subdomains, app1.company.com, app2.company.com.. Additionally, we have multiple environments, prod, staging, dev1, dev2

Each environment has all of it's services use -ENV at the end of the app name to distinguish it from the others. For example

• app1.company.com
• app2.company.com
• app1-staging.company.com
• app2-staging.company.com
• app1-dev1.company.com
• app2-dev1.company.com

This would not be an issue except that we want to start sharing cookies from within an environment. This would mean that cookies would have to have their domain set to .company.com. Which would break our sandboxing. The alternative would be to prefix the environment to cookie names, but that also seems like a kludge, and doesn't provide real security.

So the question is how do people set up their prod, staging and dev environments so that cookies are sandboxed from each other.

Answer 1

Use different domains. You have correctly pointed out that setting the cookie domain to just 'company.com' would share them over all domains and not just some.

You could change the code to set/listen for different cookies in different environments, but that could still make debugging / diagnostics hard if you have lots of spurious cookies in your requests.

So use different domains like:

app1.company.com  cookiedomain=.company.com
app2.company.com

app1.staging-company.com  cookiedomain=.staging-company.com
app2.staging-company.com

app1.dev-company.com      cookiedomain=.dev-company.com
app2.dev-company.com

Setting up additional domains is easy, you may have an extra SSL certificate cost, but it would not normally be significant. The '.' before the domain set in the cookie is important.