0

I've been trying to accomplish this task for quite some time but haven't got any breakthrough yet. I would be really thankful if anyone can help me out in this.

Current Situation:

I've two applications that I'm running in two sub-domains as

st.localhost:8080 and acm.localhost:8080

When a user tries to access either of the URLs, I search for a cookie named 'auth' using Angular $cookies service. If the cookie is defined or present, the user is redirected to original application. However, if the cookie is undefined, user is redirected to a login page(the login page resides in both the applications).

From the login page, after successful credentials check, I set the 'auth' cookie again with a random value. This cookie is supposed to be shared between the two sub-domains.

Express:

var express = require('express');
var httpProxy = require('http-proxy');
var vhost = require('vhost');

var app = express();
var proxy = httpProxy.createProxyServer();

app.get('/login', function(req, res) {
    var randomNumber=Math.random().toString();
    randomNumber=randomNumber.substring(2,randomNumber.length);
    var expireDate = new Date();
    expireDate.setDate(expireDate.getDate() + 1);
    res.cookie('auth', randomNumber, { maxAge: 90000000, domain: 'localhost', httpOnly: false });
    console.log('cookie created successfully');    
    res.send('Login successful');
});

app.use('/api', function(req, res) {    
    req.headers[ 'Authorization' ] = 'Basic dXNlcjpwYXNzd29yZA==';
    console.log("Request cookies: " + req.cookie);
    proxy.web(req, res, { target: 'restApiTarget' });
});

// ST application
app.use(vhost('st.localhost', express.static('./st')));

// ACM application
app.use(vhost('acm.localhost', express.static('./acm')));

app.listen(8080, function () {
    console.log('Fweb server running on port 8080!');
});

Angular

Below login function is shared by both ST and ACM applications

    $scope.login = function(formValid){
        $scope.incorrectCredentials = false;
        if(formValid){
            $http.get('/login', 
                {
                    params: {
                        username: $scope.username,
                        password: $scope.password
                    },
                    headers : {
                        'Accept' : 'application/json'
                    }
                }
            ).then(function(response){
                $scope.incorrectCredentials = false;
                var obj = $cookies.getObject('auth');
                console.log("auth is: " + obj);
                $state.go($stateParams.origin);
            }, function(response){
                $scope.incorrectCredentials = true;
            });
        }
    }

Express is able to successfully create the cookie 'auth' as I can see the Set-Cookie header in the /login service response. However, the browser is not attaching this cookie to the subsequent API requests that I'm making from my application(say st.localhost). I'm not able to read this cookie through Angular as well.

     var obj = $cookies.getObject('auth');
     console.log("auth is: " + obj);

results in obj being undefined.

enter image description here

I've a feeling that there is something wrong in the way I'm setting the domain of the cookie as 'localhost' from one of the sub-domains.

Any suggestions on what I may be doing wrong?

Thanks in advance.

Yash Kapila
  • 261
  • 7
  • 17

2 Answers2

2

This is the second time I'm providing an answer to my own question. I guess I need to be more patient next time onwards before posting a question. Anyways, I hope this answer is helpful for people who are stuck in a similar situation like I was.

Firstly, I found out that it is possible to share a cookie between subdomains even if you create it in one of the subdomains. However, there were some posts/answers which said otherwise.

What one needs to do while creating a cookie in one of the subdomains is that the parameter 'domain' needs to be set as the parent domain value. For example, if you are creating a cookie in say st.testserver.com then while setting a sharable cookie in it, the 'domain' parameter must be set as '.testserver'.

However, if your parent domain is also the Top Level Domain(TLD), then you won't be able to create a shared cookie in the subdomain. This is exactly what was happening to me earlier when I posted this question.

When I was using st.localhost and trying to create a cookie with 'domain' as '.localhost', it wasn't allowing me to do so because localhost here is the TLD. But when I renamed my domain name to st.testserver.com, I was able to create the cookie with 'domain' as '.testserver.com' because it wasn't the TLD anymore.

I hope someone can validate this answer once and let me know if I provided any incorrect information.

Thanks.

Yash Kapila
  • 261
  • 7
  • 17
  • Here is a nice (and short) article about this subject: https://medium.com/@emilycoco/working-with-subdomains-locally-and-sharing-cookies-across-them-12b108cf5e43 – Shaya Mar 06 '18 at 14:27
0

Cookies is domain specific , if you want access across domain, you need to use some cross store like cross-storage etc.

chandan kumar
  • 29
  • 3