Cookie for domain and sub-domain

[triasmoro]

Note: Actually this case has been resolved at https://github.com/keratin/authn-js/pull/26. But I don't know why, author close the PR

Case:

I build my system using microservices architecture, so login page will be on auth.domain.com while the app on app.domain.com When login via auth.domain.com, I want my cookie can be read by app.domain.com also But for current code, Its only can used by current domain (Host only)

Resolve:

Pull Request #32

I add domain name when call setCookieStore as second parameter & optional parameter (for backward compatibility) so syntax below are valid

setCookieStore("my-cookie"); // it will use current domain as cookie domain, i.e. auth.domain.com

and

setCookieStore("my-cookie", "auth.domain.com");

and with dot prefix (further information read Share cookie between subdomain and domain )

setCookieStore("my-cookie", ".domain.com");

But I can’t create test code for that in test folder. Since document.cookie always empty if I add domain ; domain=domain.com at CookieSessionStore.ts on update method, I don’t know why

Should I create test for this changes @cainlevy ?

[cainlevy]

@triasmoro My understanding is that you can set a cookie for all subdomains of the current one, but may not set for a sibling domain. It would allow for cross domain injection attacks. Can you verify that this will work for your use case?

If this domain setting does not work as hoped, let's talk through cross domain logins from a SSO angle. It may take some light effort, but the server should be able to supply an access token to any known domain once the refresh token is established.

[triasmoro]

Yes, you're right. It will lead to cross domain injection attacks. Sorry for my bad knowledge. I just realized the cookie has been set at my api url (api.domain.com). I can use that one.

Thank you @cainlevy