How to set cookie from a domain into a subdomain

Question

This is a protocol question - not related to a specific programming language.

Let's say we currently have:

• a website using the domain: example.com
• a frontend app at: example.com/example-front
• an API at: example.com/api/example-data
• all addresses using HTTPS.
• The front-end app calls the API to log in and gets a set-cookie: data=SOME_DATA; Secure; httpOnly; Path=/; Domain=example.com and it works as expected.

1. We want to transfer the frontend app from example.com/example-front to front.example.com.
2. The API will stay at the same address.

What should be done (frontend / backend / subdomain gateway) in order to make this work?

(already tried to set domain=.example.com and sameSite=None).

Answer 1

After checked everything needed to do and verified it in production too, the steps to resolve this issue are:

From the frontend perspective:

• if you’re using axios / XHR - add withCredentials: true
• if you’re using fetch - add credentials: true

From the backend perspective (the API):

1. Add header: “access-control-allow-origin: [specify the specific subdomain, including protocol. E.g: https://sub.example.com]”
2. Add “access-control-allow-credentials: true”
3. At the “set-cookie” header, you should mention: “httpOnly; secure; domain=example.com; sameSite=None;”