Cross-Domain HttpOnly Cookie

Asked Jun 15 '20 at 05:48

Active Jun 15 '20 at 15:03

Viewed 102 times

I have a website:

www.example.com

This website is a Single page application (SPA) that call APIs in this subdomain:

api.example.com

Today I am using Authorization header (Bearer token) in the API, but I am trying to replace it with Cookies because if I use flag "HttpOnly", cookies are not accessible by Javascript, and then I prevent XSS atacks.

I am using this code to set the cookie in Node.js when the user login ("api.example.com/login"):

exports.handler = async function(event) {
    ...
    let userSessionId = ...
    ...
    response['headers']['Set-Cookie'] = `user_session_id=${userSessionId}; HttpOnly`;
    return response;
}

Browser is receiving the "Set-Cookie" header, but not passing it in subsequent API calls.

Is it possible to send "HttpOnly" cookies in AJAX requests from "www.example.com" to "api.example.com"?

Should I change my API endpoint to "www.example.com/api"? Or is there another alternative? If possible, I would like to keep the API in a different subdomain ("api.example.com").

edited Jun 15 '20 at 15:03

asked Jun 15 '20 at 05:48

Daniel Barral

3,896
2
35
47

Cross-Domain HttpOnly Cookie

0 Answers0