How to share cookie on multiple subdomains?

I’ve got multiple applications running on different docker containers. One handles the login of the user, the others all have separate functionalities.
I use OAuth2 to login my users, and save their id in a session cookie. I would like to use this session cookie in my other applications to retrieve the user.

I’ve read that you can share cookies on the same domain. Currently I’ve got this setup in all my applications:

  plug Plug.Session,
    store: :cookie,
    domain:  "smiks.online",
    key: "_smiks_apps_key",
    signing_salt: "********"

My secret_key_base is also similar for all applications.
Even so, the cookies that I saved in my ‘Auth-applications’, are not visible in the other ones. The Auth-app is running on smiks.online, the other applications are running on subdomains (like inschrijvingen.smiks.online). How can I share a cookie between these applications?

what samesite flag is set on your cookies ? is it lax or strict ? subdomains will work only in case of it being lax but with strict domain needs to match the one in your browser.

3 Likes

I added

same_site: "Lax"

without result.

The connection of https://smiks.online contains the cookie:

%Plug.Conn{
   adapter: {Plug.Cowboy.Conn, :...},
   assigns: %{user: "VWOK", username: "VAN WOENSEL Kristof"},
   before_send: [#Function<0.58972466/1 in Plug.CSRFProtection.call/2>,
    #Function<2.50475867/1 in Phoenix.Controller.fetch_flash/2>,
    #Function<0.38038610/1 in Plug.Session.before_send/2>,
    #Function<0.24098476/1 in Plug.Telemetry.call/2>],
   body_params: %{},
   cookies: %{
     "_smiks_apps_key" => "SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"
   },
   halted: false,
   host: "localhost",
   method: "GET",
   owner: #PID<0.3073.0>,
   params: %{},
   path_info: [],
   path_params: %{},
   port: 4007,
   private: %{
     SmiksLoginWeb.Router => {[], %{}},
     :phoenix_action => :index,
     :phoenix_controller => SmiksLoginWeb.PageController,
     :phoenix_endpoint => SmiksLoginWeb.Endpoint,
     :phoenix_flash => %{},
     :phoenix_format => "html",
     :phoenix_layout => {SmiksLoginWeb.LayoutView, :app},
     :phoenix_router => SmiksLoginWeb.Router,
     :phoenix_view => SmiksLoginWeb.PageView,
     :plug_session => %{"user" => "VWOK"},
     :plug_session_fetch => :done
   },query_params: %{},
   query_string: "",
   remote_ip: {0, 0, 0, 0, 0, 65535, 44057, 1},
   req_cookies: %{
     "_smiks_apps_key" => "SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"
   },
   req_headers: [
     {"accept",
      "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"},
     {"accept-encoding", "gzip, deflate, br"},
     {"accept-language", "en-US,en;q=0.5"},
     {"cache-control", "max-age=0"},
     {"connection", "upgrade"},
     {"cookie",
      "_smiks_apps_key=SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"},
     {"host", "localhost:4007"},
     {"referer", "https://smiks.smartschool.be/"},
     {"upgrade-insecure-requests", "1"},
     {"user-agent",
      "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"},
     {"x-forwarded-for", "94.226.254.172"}
   ],
   request_path: "/",
   resp_body: nil,
   resp_cookies: %{}, 
resp_headers: [
     {"cache-control", "max-age=0, private, must-revalidate"},
     {"x-request-id", "Fl3EvO2x6Euue5MAAAHB"},
     {"x-frame-options", "SAMEORIGIN"},
     {"x-xss-protection", "1; mode=block"},
     {"x-content-type-options", "nosniff"},
     {"x-download-options", "noopen"},
     {"x-permitted-cross-domain-policies", "none"},
     {"cross-origin-window-policy", "deny"}
   ],
   scheme: :http,
   script_name: [],
   secret_key_base: :...,
   state: :unset,
   status: nil
 }

The connection from extramuros.smiks.online still doesn’t contain any cookie. I also tried with put_resp_cookie without result.

do you see the cookie set in you browser console ? would it be possible for you to share a screenshot or details of what is in your browser ?

I think you just need to make the domain .smiks.online (leading dot acts as a wildcard).

…Paul

in the new specs the dot is not needed anymore

Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.

Well, that tells you how long it’s been since I tried to do that. :smiley:

1 Like

I’m getting closer to the cause of the problem.
I created a third website called test.smiks.online that stores another cookie, and I was able to open it in the website extramuros.smiks.online.

The problem must be caused by smiks.online, the website that sets the specific cookie I need. The cookie is set (see my post above). In dev-mode (localhost) everything works fine.
I checked every file file, but I’m unable to find the cause. This is my header from the website that needs the cookie, extramuros.smiks.online:


req_headers: [
     {"accept",
     "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"},
     {"accept-encoding", "gzip, deflate, br"},
     {"accept-language", "en-US,en;q=0.5"},
     {"connection", "upgrade"},
     {"host", "localhost:4008"},
     {"upgrade-insecure-requests", "1"},
     {"user-agent",
     { "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0"},
     {"x-forwarded-for", "94.226.254.172"}
    ],
  
resp_headers: [
    {"cache-control", "max-age=0, private, must-revalidate"},
    {"x-request-id", "Fl7EAXfC1-XgkrwAAAHR"},
    {"x-frame-options", "SAMEORIGIN"},
    {"x-xss-protection", "1; mode=block"},
    {"x-content-type-options", "nosniff"},
    {"x-download-options", "noopen"},
    {"x-permitted-cross-domain-policies", "none"},
    {"cross-origin-window-policy", "deny"}
   ],

After trying to comment my code letter by letter, I decided to rebuild the application from scratch with a working result. I kept plugins to a minimum, because I suspect a front-end plugin to be the culprit (if that were possible?)

Anyway, for people looking for the answer, it should work with sharing the same APP_SECRET and having the following session configuration in every application:

  plug Plug.Session,
    store: :cookie,
    domain:  "smiks.online",
    key: "_smiks_apps_key",
    signing_salt: "********"