Sandbox Cookies between environments

Question

I have a production environment and a staging environment. I am wondering if I can sandbox cookies between the environments. My setup looks like

Production

• domain.com - frontend SPA
• api.domain.com - backend Node

Staging

• staging.domain.com - frontend SPA
• api.staging.domain.com - backend Node

My staging cookies use the domain .staging.domain.com so everything is fine there. But my production cookies use the domain .domain.com so these cookies show up in the staging environment.

I've read one possible solution is to use a separate domain for staging like staging-domain.com but I would like to avoid this if possible. Are there any other solutions or am I missing something about how cookies work?

Answer 1

There are multiple alternatives:

1. Set your production domains to be www.domain.com and api.www.domain.com and set your cookie to .www.domain.com

This way, your production cookie will not be seen in the staging environment.

or

2. Use .domain.com , but have your backend behave differently depending on which environment they receive the cookie in.

Answer 2

One solution would be to change the pass phrase used on staging environment to encrypt cookies.

Doing so will render cookies coming from the production invalid.

The method to do so is web server dependent, for example on Apache HTTP server:

http://httpd.apache.org/docs/current/mod/mod_session_crypto.html

Text from above link:

SessionCryptoPassphrase secret

The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.

If the encryption key is changed, sessions will be invalidated automatically.

---

So find how o change the passphrase on your web server on staging environment, and all cookies coming from production, along with all cookies (issued in the past) from staging will be considered invalid on staging.