How to share cookie on multiple subdomains?

kristofvanwoensel · January 25, 2021, 8:31pm

I’ve got multiple applications running on different docker containers. One handles the login of the user, the others all have separate functionalities.
I use OAuth2 to login my users, and save their id in a session cookie. I would like to use this session cookie in my other applications to retrieve the user.

I’ve read that you can share cookies on the same domain. Currently I’ve got this setup in all my applications:

  plug Plug.Session,
    store: :cookie,
    domain:  "smiks.online",
    key: "_smiks_apps_key",
    signing_salt: "********"

My secret_key_base is also similar for all applications.
Even so, the cookies that I saved in my ‘Auth-applications’, are not visible in the other ones. The Auth-app is running on smiks.online, the other applications are running on subdomains (like inschrijvingen.smiks.online). How can I share a cookie between these applications?

darnahsan · January 26, 2021, 7:11am

what samesite flag is set on your cookies ? is it lax or strict ? subdomains will work only in case of it being lax but with strict domain needs to match the one in your browser.

kristofvanwoensel · January 26, 2021, 11:35am

I added

same_site: "Lax"

without result.

The connection of https://smiks.online contains the cookie:

%Plug.Conn{
   adapter: {Plug.Cowboy.Conn, :...},
   assigns: %{user: "VWOK", username: "VAN WOENSEL Kristof"},
   before_send: [#Function<0.58972466/1 in Plug.CSRFProtection.call/2>,
    #Function<2.50475867/1 in Phoenix.Controller.fetch_flash/2>,
    #Function<0.38038610/1 in Plug.Session.before_send/2>,
    #Function<0.24098476/1 in Plug.Telemetry.call/2>],
   body_params: %{},
   cookies: %{
     "_smiks_apps_key" => "SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"
   },
   halted: false,
   host: "localhost",
   method: "GET",
   owner: #PID<0.3073.0>,
   params: %{},
   path_info: [],
   path_params: %{},
   port: 4007,
   private: %{
     SmiksLoginWeb.Router => {[], %{}},
     :phoenix_action => :index,
     :phoenix_controller => SmiksLoginWeb.PageController,
     :phoenix_endpoint => SmiksLoginWeb.Endpoint,
     :phoenix_flash => %{},
     :phoenix_format => "html",
     :phoenix_layout => {SmiksLoginWeb.LayoutView, :app},
     :phoenix_router => SmiksLoginWeb.Router,
     :phoenix_view => SmiksLoginWeb.PageView,
     :plug_session => %{"user" => "VWOK"},
     :plug_session_fetch => :done
   },query_params: %{},
   query_string: "",
   remote_ip: {0, 0, 0, 0, 0, 65535, 44057, 1},
   req_cookies: %{
     "_smiks_apps_key" => "SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"
   },
   req_headers: [
     {"accept",
      "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"},
     {"accept-encoding", "gzip, deflate, br"},
     {"accept-language", "en-US,en;q=0.5"},
     {"cache-control", "max-age=0"},
     {"connection", "upgrade"},
     {"cookie",
      "_smiks_apps_key=SFMyNTY.g3QAAAABbQAAAAR1c2VybQAAAARWV09L.cjoZgpc9uYhEIMejxhKwuNVHj9hC1fuQEsRPEPT00QI"},
     {"host", "localhost:4007"},
     {"referer", "https://smiks.smartschool.be/"},
     {"upgrade-insecure-requests", "1"},
     {"user-agent",
      "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0"},
     {"x-forwarded-for", "94.226.254.172"}
   ],
   request_path: "/",
   resp_body: nil,
   resp_cookies: %{}, 
resp_headers: [
     {"cache-control", "max-age=0, private, must-revalidate"},
     {"x-request-id", "Fl3EvO2x6Euue5MAAAHB"},
     {"x-frame-options", "SAMEORIGIN"},
     {"x-xss-protection", "1; mode=block"},
     {"x-content-type-options", "nosniff"},
     {"x-download-options", "noopen"},
     {"x-permitted-cross-domain-policies", "none"},
     {"cross-origin-window-policy", "deny"}
   ],
   scheme: :http,
   script_name: [],
   secret_key_base: :...,
   state: :unset,
   status: nil
 }

The connection from extramuros.smiks.online still doesn’t contain any cookie. I also tried with put_resp_cookie without result.

darnahsan · January 28, 2021, 4:31am

do you see the cookie set in you browser console ? would it be possible for you to share a screenshot or details of what is in your browser ?

dotdotdotPaul · January 28, 2021, 4:33am

I think you just need to make the domain .smiks.online (leading dot acts as a wildcard).

…Paul

darnahsan · January 28, 2021, 5:46am

in the new specs the dot is not needed anymore

Contrary to earlier specifications, leading dots in domain names (.example.com) are ignored.

dotdotdotPaul · January 28, 2021, 6:16pm

Well, that tells you how long it’s been since I tried to do that.

kristofvanwoensel · January 29, 2021, 5:27pm

I’m getting closer to the cause of the problem.
I created a third website called test.smiks.online that stores another cookie, and I was able to open it in the website extramuros.smiks.online.

The problem must be caused by smiks.online, the website that sets the specific cookie I need. The cookie is set (see my post above). In dev-mode (localhost) everything works fine.
I checked every file file, but I’m unable to find the cause. This is my header from the website that needs the cookie, extramuros.smiks.online:


req_headers: [
     {"accept",
     "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"},
     {"accept-encoding", "gzip, deflate, br"},
     {"accept-language", "en-US,en;q=0.5"},
     {"connection", "upgrade"},
     {"host", "localhost:4008"},
     {"upgrade-insecure-requests", "1"},
     {"user-agent",
     { "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0"},
     {"x-forwarded-for", "94.226.254.172"}
    ],
  
resp_headers: [
    {"cache-control", "max-age=0, private, must-revalidate"},
    {"x-request-id", "Fl7EAXfC1-XgkrwAAAHR"},
    {"x-frame-options", "SAMEORIGIN"},
    {"x-xss-protection", "1; mode=block"},
    {"x-content-type-options", "nosniff"},
    {"x-download-options", "noopen"},
    {"x-permitted-cross-domain-policies", "none"},
    {"cross-origin-window-policy", "deny"}
   ],

kristofvanwoensel · February 4, 2021, 8:03pm

After trying to comment my code letter by letter, I decided to rebuild the application from scratch with a working result. I kept plugins to a minimum, because I suspect a front-end plugin to be the culprit (if that were possible?)

Anyway, for people looking for the answer, it should work with sharing the same APP_SECRET and having the following session configuration in every application:

  plug Plug.Session,
    store: :cookie,
    domain:  "smiks.online",
    key: "_smiks_apps_key",
    signing_salt: "********"