Cross-Subdomain Cookie Authentication

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows how to securely authenticate a user across different subdomains (e.g., app.example.com and api.example.com) using cookies. The key is setting the cookie’s domain attribute correctly so all subdomains can access it.

Steps

Understand Cookie Domains

By default, cookies are scoped to the subdomain they were set on. app.example.com sets a cookie only accessible by app.example.com.
To share a cookie across subdomains, you need to set the domain attribute when creating the cookie. For example, setting domain=example.com makes it available to all subdomains of example.com.

Set the Cookie on Login

When a user successfully logs in on your primary subdomain (e.g., app.example.com), set a cookie with the appropriate domain.

// Example using JavaScript/Node.js with Express and cookies library
const express = require('express');
const cookieParser = require('cookie-parser');
const app = express();
app.use(cookieParser());

app.post('/login', (req, res) => {
  // ... authentication logic ...

  res.cookie('auth_token', 'your_secure_token', {
    domain: '.example.com', // Important: Include the leading dot!
    path: '/',
    secure: true, // Set to true in production (HTTPS only)
    httpOnly: true,
    sameSite: 'strict' // Recommended for security
  });
  res.send('Login successful');
});

Important Notes:

The leading dot (.example.com) is crucial. It tells the browser to include all subdomains.
Set secure: true in production environments to ensure cookies are only sent over HTTPS connections.
Use httpOnly: true to prevent client-side JavaScript from accessing the cookie, mitigating XSS attacks.
Consider using sameSite: 'strict' or sameSite: 'lax' for enhanced security against CSRF attacks.

Access the Cookie on Other Subdomains

On other subdomains (e.g., api.example.com), your application can automatically access the cookie if it was set with the correct domain.

// Example using JavaScript/Node.js with Express and cookies library
const express = require('express');
const cookieParser = require('cookie-parser');
const app = express();
app.use(cookieParser());

app.get('/protected', (req, res) => {
  const authToken = req.cookies.auth_token;

  if (authToken) {
    // ... verify the token ...
    res.send('Protected resource accessed');
  } else {
    res.status(401).send('Unauthorized');
  }
});

Security Considerations

Token Storage: Never store sensitive information directly in the cookie. Use a secure token that references data on your server.
HTTPS Only: Always use HTTPS to protect cookies from interception.
XSS Protection: Implement robust XSS prevention measures (e.g., input validation, output encoding) to prevent attackers from stealing cookies. The httpOnly flag helps but isn’t a complete solution.
CSRF Protection: Use CSRF tokens in addition to the sameSite attribute for added security.
Cookie Expiration: Set appropriate expiration times for your cookies. Short-lived tokens are generally more secure.
cyber security best practices: Regularly review and update your cyber security measures.