Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure application to be available subdomain cookie?

I need to share session cookie between main domain and all subdomains. I have two nodejs services based on expressjs framework:

// example.local

    ...
    app.use(session({
       cookie: {
          domain: "example.local"
       }
       , key: 'sid'
       , secret: '[my secret]'
       , saveUninitialized: true
       , resave: true
       , store: new RedisStore({
          host: 'localhost',
          port: 6379
       })
    })); 

// blog.example.local

    ...
    app.use(session({
       // what should I write here? <---------
    })); 

So my question is what should I write in session configuration of blog.example.local to get access to existing cookie of example.local?

EDIT: as @yeiniel suggest, I should just use the same config for blog.example.local like the following:

// blog.example.local

    ...
    app.use(session({
       cookie: {
          domain: "example.local"
       }
       , key: 'sid'
       , secret: '[my secret]'
       , saveUninitialized: true
       , resave: true
       , store: new RedisStore({
          host: 'localhost',
          port: 6379
       })
    })); 

Is it enough or I may optimize it?

like image 595
Erik Avatar asked Jun 21 '16 22:06

Erik


People also ask

Can I set a cookie for a subdomain?

However, all modern browsers respect the newer specification RFC 6265 and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.

Should app be on subdomain?

The article recommends the following structure: The marketing website should be on the main domain and separated from the product app. The product app should live on its own subdomain.

Does SameSite work for subdomains?

They are independent cookie attributes. Domain doesn't care about the same-site/cross-site context, and SameSite doesn't care about domain/subdomain scope of the cookie. 4.

Is subdomain cookie third party cookie?

Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk ), but not if they come from different subdomains of the same base domain.


1 Answers

Basically you need two things: Use the same settings on all servers (not just cookie settings but all the session settings included the store) and ensure cookie domain configuration point to the common domain between the sites.

like image 90
yeiniel Avatar answered Sep 21 '22 22:09

yeiniel