2

I originally posted this question here: https://security.stackexchange.com/questions/255737/is-it-possible-to-set-an-httponly-cookie-from-one-domain-to-another-subdomain

Please keep in mind that this question is specific to cookies with the HttpOnly flag set to true.

I am pretty sure that the answer to my question is no, but I have been have a hard time finding an answer through official documentation or other posts here. Here is simple use case for some context:

  1. Python backend web application (api.domain.com)
  2. Frontend JavaScript SPA (app.domain.com)
  3. post requests to api.domain.com/api/auth/login/ made from app.domain.com using axios with the correct username and password return a response with an access JWT token in the body and the response sets a refresh cookie with an HttpOnly flag [should fail, since I believe that the cookie cannot be set on app.domain.com from an API request to api.domain.com? -- this is my question]
  4. the access token is stored in memory and passed with each API request
  5. requests made to api.domain.com/api/auth/refresh/ are sent on a schedule to refresh the short-lived access token.

I typically host the frontend app and backend app on the same subdomain (app.domain.com) and do path-based routing with something like CloudFront or nginx, and this works well. For example, all requests starting with /api/* are sent to the backend, and all other requests are sent to the frontend app. Trying to use a separate subdomain for the API seems to fail no matter what options I use for setting the cookie on the server.

Can someone help me confirm that it is in fact not possible to set an HttpOnly cookie on a subdomain like app.domain.com from an API request hosted on api.domain.com? It would be great if anyone can also help me find where this could possibly be found in official documentation.

Searching for set httpOnly cookie across subdomains, I haven't found anything directly relevant. I also didn't find anything in these resources that directly answers my question:

https://owasp.org/www-community/HttpOnly

https://learn.microsoft.com/en-us/previous-versions//ms533046(v=vs.85)?redirectedfrom=MSDN

briancaffey
  • 2,339
  • 6
  • 34
  • 62

2 Answers2

3

This is possible. In fact I just did it.

On your frontend, using Axios:

const baseURL = 'https://api.example.com';

const api = axios.create({
  baseURL,
  withCredentials: true,
});

On your backend, using Express:

app.use(
  cors({
    origin: 'https://www.example.com',
    credentials: true,
  }),
);

app.post('/login', async (req, res) => {
  res.cookie('someCookie', someCookieValue, {
    secure: true,
    domain: 'example.com',
    httpOnly: true,
  });
});
Mario Petrovic
  • 7,500
  • 14
  • 42
  • 62
just a person
  • 31
  • 3
1

so after i spend a day to figure this out, i will end my attempt with this post. Cross-Domain Cookies

As i finally understand it, many talks about a solution to send the cookie from the PageA, within PageB to PageA. But that was not was i looking for. So in this post, for me the answer with the most upvotes is not correct, but the followed answers give me some clarity.

I thinks its the point to understand what we want, i was trying to send the Cookie from PageB within PageB to PageA. And it seems its not possible. (I talk about http only cookies.). If this not correct, im excited to get a solution, but in the other hand it also makes no sense from a security point of view.

Producerey
  • 26
  • 3
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – pierpy Apr 22 '23 at 20:01