Search code examples
cookiesbrowsercorssubdomain

Separate cookies for different origin subdomains


Is it possible to not share a cookie between different origin subdomains? For example, I have an API hosted on AWS at e.g. abcd1234.execute-api.eu-west-1.amazonaws.com. It is set up for CORS to allow access from *.app.com, and the auth cookie works fine. The problem is, I want to have different auth cookies for different app.com subdomains, so that you can be logged in as a different user for each subdomain. Currently, if I log in as an admin at admin.app.com, then access user.app.com, the browser is still sending the cookie set at admin.app.com.


Solution

  • Apparently it's not possible to do this. I instead opted for having separately named cookies based on the origin of the request.