When visiting foo.com the response of an Ajax GET request to bar.co.at includes this response header:
Set-Cookie: PHPSESSID=i39mm1u7jh4tr7pmebue1k7abc;
expires=Thu, 19-Nov-2020 20:34:40 GMT;
Max-Age=3600;
path=/;
domain=.bar.co.at;
secure;
HttpOnly;
SameSite=none
A subsequent Ajax POST request to bar.co.at does not include any cookie header. But I need this header for having a session on bar.co.at.
Maybe that could be related to CORS somehow, or maybe to the cookie name PHPSESSID?
(It's the same on Firefox and Chrome 86.0.4240.111)
Seems like it is Third Party Anti Tracking (TPT) policy. So from this time, browser will not send cookies to third party domains from your domain.
Some options to how you can resolve it you can find here : https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/