I have a situation in which I am trying to use a single Http-Only authentication cookie across sub-domains.
I have verified that the authenticate response sets the cookie, I see the domain in the response as .mydomain.com. If I open the cookie viewer in Chrome (Settings -> Show Advanced Settings -> Content Settings -> All cookies and site data ...) I see my auth cookie stored under mydomain.com (no leading '.', not sure why).
However, when I do a simple get request back to my auth server to get a full authorization token, the authentication cookie is not sent:
//Sent from http://app.mydomain.com
$.get('http://auth.mydomain.com', null, function(fullAuthorizeTok) {});
Is it impossible to send cookies even in a cross sub-domain request like this?
I'm using an Http-Only authentication cookie to protect against XSS attacks and then using an authorization token manually submitted on potent operations to protect against XSRF attacks. This bit is the part where the app has already authenticated and is requesting an authorization token from the server, and I would prefer this to be possible from client JS.
The request must be explicitly cross-domain for the cookies to be sent. I thought the browser would implicitly send cookies across sub-domains if they were shared between the said sub-domains, but it is not so. The request needs to look like this:
$.ajax({
url: 'http://auth.mydomain.com',
method: 'GET',
crossDomain: true,
data: {},
xhrFields: {
withCredentials: true
},
success: function (tokenStr) {
//Do Stuff
},
error: function (jqXHR, type, exception) {
alert('Oh Dear.');
}
});
And of course the response should include the appropriate CORS headers.
As a side note. This does not work across domains if they don't share the same parent domain. So you can send a cookie from 'app.mydomain.com' to 'auth.mydomain.com', but not to 'auth.mydomain2.com'.