Cookies on parent domain are also set on subdomain
See original GitHub issueHello There,
we are currently using this project to deploy a Serverless application in a dev and prod environment. We are deploying it with AWS SAM directly from the Serverless Application repository with the following configuration (we create the CloudFront distribution and the Cognito UserPool separately). CloudFormation extract we use for the deployment:
Type: AWS::Serverless::Application
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
SemanticVersion: 2.0.13
Parameters:
CreateCloudFrontDistribution: false
UserPoolArn: !Ref UserPoolArn
UserPoolClientId: !Ref UserPoolClient
HttpHeaders: |-
{
"Content-Security-Policy": "default-src 'self'; img-src 'self'; script-src 'self' https://code.jquery.com https://stackpath.bootstrapcdn.com; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com; object-src 'self'; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
"Referrer-Policy": "same-origin",
"X-XSS-Protection": "1; mode=block",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
}
CookieSettings: |-
{
"idToken": "Secure; SameSite=Lax",
"accessToken": "Secure; SameSite=Lax",
"refreshToken": "Secure; SameSite=Lax",
"nonce": "Secure; HttpOnly; Max-Age=300; SameSite=Lax"
}
We are deploying the code in two different environments (dev and prod) with the domain names “dev.mydomain.net” and “mydomain.net”. The issue we are facing is that the Auth cookies which are set for the prod environment are inherited by the dev environment which causes in a violation of max cookie size in our Web Application Firewall.
I believe this is due to the fact that the domain of the Cookies has a leading “.” causing the cookies to be applied to subdomains as well which is not the behavior I would expect. We will on short term fix it by changing our dev domain to something like mydomain-dev.net. However, we would be very grateful if we can get a configuration option to store the cookies under a domain without a leading “.”.
I think it should be enough to either change it in the function “withCookieDomain” or add an option to configure the domain:
function withCookieDomain(
distributionDomainName: string,
cookieSettings: string
) {
// Add the domain to the cookiesetting
if (cookieSettings.toLowerCase().indexOf("domain") === -1) {
// Add leading dot for compatibility with Amplify (or js-cookie really)
return `${cookieSettings}; Domain=.${distributionDomainName}`;
}
return cookieSettings;
}
Thanks in advance! Daniel
Issue Analytics
- State:
- Created 2 years ago
- Comments:10
Top GitHub Comments
@ottokruse this was successul! Thanks a lot for your help. To wrap it up this is our working configuration:
Thanks I will try it. I also figured out now that the Cookie header works like you said but my browser actually adds the
.
.set-cookie header of the request: