TechQA.

Setting cookie in top domain sent from subdomain [Half-Solved]

127 views Asked by At

I am working on a website and I separated my front-end from my back-end, both have their domain:

FE : website.domain.com
BE : be.website.domain.com

I am struggling with cookies, since it is the first time I work with it. When a user is registering on the front-end, it create post request to the back-end, where the user is added to DB and the back-end is supposed to send back a session token within a cookie. This works really fine when I test it from the API docs (using fatsAPI), but does not from the front-end.

I think it is an issue due to cross origin, but the post request does work, the cookie is set as follow:

response.set_cookie("session", token_char, secure=True, httponly=False, max_age=7200, domain="domain.com", samesite="None", path="/")

I also set both the FE server and the BE server with the following parameters

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://website.domain.com","https://be.website.domain.com"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Yes the cookie is well received in the header of the post response. I know the cookie is not set because:

  1. it can not be found via JavaScript.
  2. it is not displayed in the storage from Mozilla/Chromium/LibreWolf
    Or, if it was previously set through the API, i can read it but the value is the old one and not the newly generated one, that I can see, in the network tab and on the server console (debug print)

I specifically verified that all cookies where accepted in two of those browsers.

More information can be found at the open repo for the project even though it is only being started: https://github.com/Hirofine/MagiMathicArt

Edit as solved (kind of):
Since I could not figure a way to do it, I moved the register and login page to be served by the back-end server. There I can set the cookie on the domain "domain.com" and access it from my front-end.

This is not something I really like since I have to use the back-end server to server Front-end files, but the other solutions I could have gone with was to send the token in the response from the post request, and then either set the cookie using javascript, or redirect to a page served by the back-end that would set the cookie and then redirect to the front-end which is kind of equivalent to my actual solution except it makes the token travel way more on the network, and I would probably be required use javascript to send it between the pages.

If a better answer is proposed here, or I find a better solution, I will update, in the mean time, my solution seems to work

fastapi subdomain session-cookies cross-origin-resource-policy
Original Q&A
0

There are 0 answers

Related Questions in FASTAPI

Related Questions in SUBDOMAIN

Related Questions in SESSION-COOKIES

Related Questions in CROSS-ORIGIN-RESOURCE-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions