Cookie from subdomain A not sent to subdomain B

Question

I have a front end Angular application that is hosted on dev.subdomain.mydomain.com. The application makes HTTP requests to an .net CORE API hosted on dev.api.mydomain.com. My angular application has a session cookie associated to it with the following security properties:

Secure=true
HttpOnly=true
SameSite=None
Domain=.mydomain.com

I want the cookie to be sent to the backend server on every request but for some reason the request gets sent without it.

I added an angular interceptor that adds the withCredentials option to the outgoing request

req = req.clone({
       headers: req.headers.set('Content-Type', 'application/json'),
       withCredentials: true
});

But that didn't help either. Tested this both in Chrome and Firefox, same results.

Update: I noticed that the cookie does get sent on the initial http request (going to the server to get the angular application), but ajax requests using httpClient do not get sent with the cookie

Update 2: I've set my API so that the following headers are included in the preflight response:

Access-Control-Allow-Origin: https://dev.subdomain.mydomain.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type,withcredentials
Access-Control-Allow-Methods: GET

Cookie still not being sent.

Cookies should really be used only in front end. What exactly are you trying to do with a cookie on the server side? — Chris, Sep 03 '20 at 19:43
it is a session cookie. I use it to identify users through a backend security system — mduck, Sep 03 '20 at 19:45
Wouldn't an Oauth token not be a much better solution than trying to use a cookie? — Chris, Sep 03 '20 at 20:05
we use this icookie n combination with a jwt token. It's a legacy system that we're trying to work our way around of. My issue is I need that cookie to be sent to the server, which I feel is not a rare scenario — mduck, Sep 03 '20 at 20:18
@mduck Did u find any solution for this? Even I am facing a similar issue. — sgk, Nov 19 '21 at 07:46

score 0 · Answer 1 · answered Sep 07 '20 at 12:22

If both the front-end and the API are under *.mydomain.com then they should count as the same-site, meaning that SameSite=Lax should be fine.

If you look at the Chrome Developer Tools then the Issues tab should tell you about any cookies that are either being affected by SameSite defaults or don't have the attribute set correctly.

In the Network tab, if you select an individual request then you can also look at the Cookies subpanel there and enable "show filtered out request cookies" to show which cookies were dropped. Hovering over them will also provide a tooltip explaining why.

In-depth debugging guide here: https://www.chromium.org/updates/same-site/test-debug
Video version here: https://youtu.be/Fet6-IiX69E?t=516

Cookie from subdomain A not sent to subdomain B

1 Answers1