I can't get the cookie set in the browser. This happens when I add www to the cookie domain, but can't figure out why.
Problem description
We have a domain mycompany.com
, an application running under mycompany.com
and another application under subdomain.mycompany.com
. Each of them has their own cookie, secure and httpOnly. We don't want this cookies to be shared between domains. We had the domain for the cookie of mycompany.com
set as .mycompany.com
. The problem with this is that it leaks to subdomain.mycompany.com
, so to avoid it I've changed the domain to www.mycompany.com
. In our apache config, we redirect all requests for mycompany.com
to www.mycompany.com
and all traffic is redirected to https.
So when I go to mycompany.com
or www.mycompany.com
I end up in www.mycompany.com
, the domain and the cookie domain match, this should work, but it doesn't. The cookie for mycompany.com
is not in the local storage (Chrome and Firefox). (I've also tried using just mycompany.com
as the cookie domain, but as expected the cookie leaks to subdomain.mycompany.com
as when I used .mycompany.com
)
Here is the cookie as sent back by the server:
my_cookie=xxxxxxxxxxxxxx;Version=1;Comment=;Domain=www.mycompany.com;Path=/;Max-Age=604800000;Secure;HttpOnly;Expires=Fri, 26 Aug 2016 09:32:40 GMT
Reading about this, I thought the problem could be the redirection, but this happens regardless of whether I go to mycompamy.com
or www.mycompany.com
.
What am I doing wrong?
PS: The cookie is not being generated by the application running under mycompany.com, but by another process running under services.mycompany.com
, which the client sends the requests to in order to get the cookie. Maybe this could be the problem.