I need to share session cookie between main domain and all subdomains. I have two nodejs services based on expressjs framework:
// example.local
...
app.use(session({
cookie: {
domain: "example.local"
}
, key: 'sid'
, secret: '[my secret]'
, saveUninitialized: true
, resave: true
, store: new RedisStore({
host: 'localhost',
port: 6379
})
}));
// blog.example.local
...
app.use(session({
// what should I write here? <---------
}));
So my question is what should I write in session configuration of blog.example.local
to get access to existing cookie of example.local
?
EDIT: as @yeiniel suggest, I should just use the same config for blog.example.local
like the following:
// blog.example.local
...
app.use(session({
cookie: {
domain: "example.local"
}
, key: 'sid'
, secret: '[my secret]'
, saveUninitialized: true
, resave: true
, store: new RedisStore({
host: 'localhost',
port: 6379
})
}));
Is it enough or I may optimize it?
However, all modern browsers respect the newer specification RFC 6265 and will ignore any leading dot, meaning you can use the cookie on subdomains as well as the top-level domain.
The article recommends the following structure: The marketing website should be on the main domain and separated from the product app. The product app should live on its own subdomain.
They are independent cookie attributes. Domain doesn't care about the same-site/cross-site context, and SameSite doesn't care about domain/subdomain scope of the cookie. 4.
Cookies seem to be considered 3rd party if they come from different base domains (base domains being example.com or example.co.uk ), but not if they come from different subdomains of the same base domain.
Basically you need two things: Use the same settings on all servers (not just cookie settings but all the session settings included the store) and ensure cookie domain configuration point to the common domain between the sites.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With