Closed triasmoro closed 5 years ago
@triasmoro My understanding is that you can set a cookie for all subdomains of the current one, but may not set for a sibling domain. It would allow for cross domain injection attacks. Can you verify that this will work for your use case?
If this domain setting does not work as hoped, let's talk through cross domain logins from a SSO angle. It may take some light effort, but the server should be able to supply an access token to any known domain once the refresh token is established.
Yes, you're right. It will lead to cross domain injection attacks. Sorry for my bad knowledge. I just realized the cookie has been set at my api url (api.domain.com
). I can use that one.
Thank you @cainlevy
Case:
I build my system using microservices architecture, so login page will be on
auth.domain.com
while the app onapp.domain.com
When login viaauth.domain.com
, I want my cookie can be read byapp.domain.com
also But for current code, Its only can used by current domain (Host only)Resolve:
Pull Request #32
I add domain name when call
setCookieStore
as second parameter & optional parameter (for backward compatibility) so syntax below are validand
and with dot prefix (further information read Share cookie between subdomain and domain )
But I can’t create test code for that in
test
folder. Since document.cookie always empty if I add domain; domain=domain.com
atCookieSessionStore.ts
onupdate
method, I don’t know whyShould I create test for this changes @cainlevy ?