search

awslabs / cognito-at-edge

Serverless authentication solution to protect your website or Amplify application
Apache License 2.0
168 stars 54 forks source link

Cookie domain attribute should optionally be disabled #10

Closed jwwheeleriv closed 2 years ago

jwwheeleriv commented 2 years ago

What would you like to be added:

Cognito-At-Edge by default sets all cookies with the domain attribute. This attribute really should be optional as it leads to issues where you may not want to share cookies across subdomains and could potentially lead to WAF restrictions if a WAF restricts the size of cookie headers.

Why is this needed:

The Domain attribute specifies which hosts are allowed to receive the cookie. If unspecified, it defaults to the same host that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.

jeandek commented 2 years ago

Thanks for the PR Jay. I'll publish the new version of the package to NPM by the end of the week.