0

I am facing a problem with my project while using cookies for authentication. My project has an API (NodeJS) and I have 3 clients (ReactJS).

Let's say that my API runs on api.example.com and serves all of my clients. My first client runs on example.com my second one on second.example.com and my third one on third.example.com.

Is there a way to prevent cookies from being shared across subdomains? This creates problem with role permissions between the systems. Thank you for your help. If you need more clarifications please comment below!

Paraskevas Louka
  • 95
  • 2
  • 7

1 Answers1

0

check out this: https://stackoverflow.com/a/28320172/11128919 & https://stackoverflow.com/a/23086139/11128919 .

In short: For instance, if you sent the following header from subdomain.mydomain.com, then the cookie won't be sent for requests to mydomain.com: Set-Cookie: name=value

However if you use the following, it will be usable on both domains: Set-Cookie: name=value; domain=mydomain.com

Muhamed Salih
  • 73
  • 6
  • Thank you for your reply but I'm not sure if you have understand exactly what I'm asking for. Can you please read my question one more time? I have changed it a bit now and make it more clear. Thank you – Paraskevas Louka Mar 29 '21 at 22:31
  • Hi @ParaskevasLouka , I understood, You have one single Nodejs Backend API and Three frontend hosted in different subdomains of same domain. ie., a.example.com , b.example.com and c.example.com. your problem is: opening three front end in same browser cause the cookie to share among themselves and cause issue in authentication Is my statement right? – Muhamed Salih Apr 05 '21 at 08:25
  • If my understanding is right try using this stake overflow solution that states how to avoid subdomains to share the cookie across. Link: https://security.stackexchange.com/a/212810 **In short : Set-Cookie: lang=en-US; Path=/; Domain=.foo.example.com** **cookie must have a domain key with having a "." before the path of domain to restrict other sub domain from accessing it** – Muhamed Salih Apr 05 '21 at 08:35