Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to set an HttpOnly Cookie from one domain to another subdomain

Tags:

authentication

cookies

single-page-application

httponly

cookie-httponly

I originally posted this question here: https://security.stackexchange.com/questions/255737/is-it-possible-to-set-an-httponly-cookie-from-one-domain-to-another-subdomain

Please keep in mind that this question is specific to cookies with the HttpOnly flag set to true.

I am pretty sure that the answer to my question is no, but I have been have a hard time finding an answer through official documentation or other posts here. Here is simple use case for some context:

  1. Python backend web application (api.domain.com)
  2. Frontend JavaScript SPA (app.domain.com)
  3. post requests to api.domain.com/api/auth/login/ made from app.domain.com using axios with the correct username and password return a response with an access JWT token in the body and the response sets a refresh cookie with an HttpOnly flag [should fail, since I believe that the cookie cannot be set on app.domain.com from an API request to api.domain.com? -- this is my question]
  4. the access token is stored in memory and passed with each API request
  5. requests made to api.domain.com/api/auth/refresh/ are sent on a schedule to refresh the short-lived access token.

I typically host the frontend app and backend app on the same subdomain (app.domain.com) and do path-based routing with something like CloudFront or nginx, and this works well. For example, all requests starting with /api/* are sent to the backend, and all other requests are sent to the frontend app. Trying to use a separate subdomain for the API seems to fail no matter what options I use for setting the cookie on the server.

Can someone help me confirm that it is in fact not possible to set an HttpOnly cookie on a subdomain like app.domain.com from an API request hosted on api.domain.com? It would be great if anyone can also help me find where this could possibly be found in official documentation.

Searching for set httpOnly cookie across subdomains, I haven't found anything directly relevant. I also didn't find anything in these resources that directly answers my question:

https://owasp.org/www-community/HttpOnly

https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN

like image 224
briancaffey Avatar asked Nov 03 '25 14:11

briancaffey

1 Answers

This is possible. In fact I just did it.

On your frontend, using Axios:

const baseURL = 'https://api.example.com';

const api = axios.create({
  baseURL,
  withCredentials: true,
});

On your backend, using Express:

app.use(
  cors({
    origin: 'https://www.example.com',
    credentials: true,
  }),
);

app.post('/login', async (req, res) => {
  res.cookie('someCookie', someCookieValue, {
    secure: true,
    domain: 'example.com',
    httpOnly: true,
  });
});
like image 62
just a person Avatar answered Nov 06 '25 14:11

just a person

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!