6

I have a production environment and a staging environment. I am wondering if I can sandbox cookies between the environments. My setup looks like

Production

  • domain.com - frontend SPA
  • api.domain.com - backend Node

Staging

  • staging.domain.com - frontend SPA
  • api.staging.domain.com - backend Node

My staging cookies use the domain .staging.domain.com so everything is fine there. But my production cookies use the domain .domain.com so these cookies show up in the staging environment.

I've read one possible solution is to use a separate domain for staging like staging-domain.com but I would like to avoid this if possible. Are there any other solutions or am I missing something about how cookies work?

LLai
  • 11,518
  • 2
  • 33
  • 39
  • seems to be a [duplicate](https://stackoverflow.com/questions/18492576/share-cookie-between-subdomain-and-domain). Alternatively you could look at patching your `hosts` file so one domain gets reused for both environments (probably only applicable to testing scenario) – timur Aug 15 '20 at 21:34
  • 1
    @timur I saw that one, I think that top answer accounts for one of my environments but not both together. Thank you for the link though – LLai Aug 16 '20 at 04:11

3 Answers3

5

There are multiple alternatives:

  1. Set your production domains to be www.domain.com and api.www.domain.com and set your cookie to .www.domain.com

This way, your production cookie will not be seen in the staging environment.

or

  1. Use .domain.com , but have your backend behave differently depending on which environment they receive the cookie in.
Rahul Iyer
  • 17,034
  • 15
  • 76
  • 159
0

One solution would be to change the pass phrase used on staging environment to encrypt cookies.

Doing so will render cookies coming from the production invalid.

The method to do so is web server dependent, for example on Apache HTTP server:

http://httpd.apache.org/docs/current/mod/mod_session_crypto.html

Text from above link:

SessionCryptoPassphrase secret

The session will be encrypted with the given key. Different servers can be configured to share sessions by ensuring the same encryption key is used on each server.

If the encryption key is changed, sessions will be invalidated automatically.

So find how o change the passphrase on your web server on staging environment, and all cookies coming from production, along with all cookies (issued in the past) from staging will be considered invalid on staging.

Mustafa Naser
  • 51
  • 3
0

Alternative option if you don't want to use separate domain or www subdomain: you can append staging environment name to the cookie name.

But personally, I would put an API gateway/proxy in front of backend and spa to keep both services under a single domain (domain.com and domain.com/api).

For staging: staging.domain.com and staging.domain.com/api or completely separate domain to avoid exposing a staging address in SSL certificate.

And I would not allow cookie sharing by omitting domain while setting the cookie. Probably, I would set the cookie path to /api.

Zygimantas
  • 6,047
  • 7
  • 36
  • 51