Secure Cross-Domain Session Cookies

TL;DR

Setting a session cookie on another domain requires careful handling of security attributes (Secure, HttpOnly, and SameSite) and potential CORS configuration. This guide explains how to do it safely.

Steps

1. Understand the Restrictions: Browsers have strict rules about cookies. A cookie set by domain ‘a.com’ is generally only accessible by ‘a.com’. Cross-domain access requires specific configuration.
   • Cookies are not automatically shared between subdomains (e.g., www.example.com and api.example.com).
   • Directly setting a cookie for another domain from your JavaScript is usually blocked by the browser’s security model.
2. Server-Side Setting (Recommended): The most secure method is to set the cookie on the server that controls the target domain.
   • When a user authenticates, your authentication server should send an HTTP response header with the Set-Cookie directive. This sets the cookie directly for the correct domain.
   • Example (PHP):

    '.targetdomain.com', 'secure' => true, 'httponly' => true, 'samesite' => 'Strict']);
   ?>

   • Example (Node.js with Express):

   res.cookie('session_id', 'your_session_value', {
     domain: '.targetdomain.com',
     secure: true,
     httpOnly: true,
     sameSite: 'Strict'
   });

3. Essential Cookie Attributes: These are crucial for security.
   • Secure: This attribute ensures the cookie is only sent over HTTPS connections. Always set this in production!
   • HttpOnly: Prevents client-side JavaScript from accessing the cookie, mitigating XSS attacks. Always set this!
   • SameSite: Controls how cookies are sent with cross-site requests. Options:
     • Strict: Only send the cookie for requests originating from the same site. Most secure option if your application doesn’t require cross-site functionality.
     • Lax: Send the cookie for top-level navigation (e.g., clicking a link) and GET requests, but not for POST requests or other potentially unsafe operations. A good balance between security and usability.
     • None: Send the cookie with all cross-site requests. Requires setting Secure to true; otherwise, the browser will reject the cookie. Use this only if absolutely necessary and understand the risks.
4. CORS Configuration (If Necessary): If your application involves JavaScript making requests to a different domain, you might need to configure CORS.
   • The target domain’s server must include the appropriate Access-Control-Allow-Credentials header in its responses.
   • Example:

   Access-Control-Allow-Credentials: true

   • Ensure that your JavaScript code is making requests with the credentials option set to ‘include’.

   fetch('https://targetdomain.com/api', {
     mode: 'cors',
     credentials: 'include'
   });

5. Subdomain Considerations: If you want a cookie to be accessible across subdomains (e.g., both www.example.com and api.example.com), set the domain attribute to include the base domain.
   • Example: domain = '.example.com'
6. Testing: Thoroughly test your cookie setup in different browsers and scenarios.
   • Use browser developer tools to inspect the cookies and verify that they are being set correctly with the expected attributes (Secure, HttpOnly, SameSite).
   • Test cross-site requests to ensure the cookie is sent as intended.

Important Security Notes

• Never store sensitive information directly in cookies. Use session IDs or tokens instead.
• Always validate and sanitize any data received from cookies on the server-side to prevent injection attacks.
• Regularly review your cookie policies and security configurations.