Third Party Cookies - Cross Domain APIs w/ Session Tracking

Question

Given a CORS API that requires a session cookie to track users as they move through a checkout process, there are issues in multiple browsers where the cookie is not set until after the user visits the site the API is hosted on.

For example:

johnny.com uses an CORS JSON API from jacob.com. jacob.com sets a cookie after the first AJAX call is made, but some browsers will not set the cookie for subsequent calls. Therefore the API will not function as expected.

Browser Behavior:

• Chrome seems to function fine unless "Third-Party cookies" are deliberately disabled. There doesn't seem to be a workaround for this.

• IE does not allow the cookie to be set initially unless there is a P3P privacy policy header returned with the initial call.

• Safari does not allow the cookie to be set initially unless a hack is used (see: http://measurablewins.gregjxn.com/2014/02/safari-setting-third-party-iframe.html)

Any insight on how to work around these issues is greatly appreciated.

Answer 1

Unfortunately, it seems there are not option to make that work across all browsers.

Safari now restricts third party use of cookies. It seems the best is to evaluate alternatives :

• Setup a proxy server that will redirect the calls to the different services (for example, when you hit johnny.com/jacob/abc, act as proxy to retrieve jacob.com/abc)
• Use oauth login on API (it might be impractical)
• Move the API under johnny.com/api/...

Paypal has also created several js based solutions to try to go around this kind of problems : https://medium.com/@bluepnume/introducing-paypals-open-source-cross-domain-javascript-suite-95f991b2731d