We are using an insecure cookie policy that is setting cookies for the entire abandontech domain. Instead, we should only set cookies for the domain that abandonauth is hosted on. This should be possible by removing any explicit domain we are setting on cookies.
We also need to ensure we are using a secure cookie policy, we should still use secure=True and httponly=True in the UI response for setting cookies. Ideally, we can remove the separate cookie logic for debug mode versus prod deploy after we remove the explicit domain.
Summary
We are using an insecure cookie policy that is setting cookies for the entire abandontech domain. Instead, we should only set cookies for the domain that abandonauth is hosted on. This should be possible by removing any explicit domain we are setting on cookies.
We also need to ensure we are using a secure cookie policy, we should still use
secure=Trueandhttponly=Truein the UI response for setting cookies. Ideally, we can remove the separate cookie logic for debug mode versus prod deploy after we remove the explicit domain.