Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cookies on parent domain are also set on subdomain
See original GitHub issueHello There,
we are currently using this project to deploy a Serverless application in a dev and prod environment. We are deploying it with AWS SAM directly from the Serverless Application repository with the following configuration (we create the CloudFront distribution and the Cognito UserPool separately). CloudFormation extract we use for the deployment:
Type: AWS::Serverless::Application
Properties:
Location:
ApplicationId: arn:aws:serverlessrepo:us-east-1:520945424137:applications/cloudfront-authorization-at-edge
SemanticVersion: 2.0.13
Parameters:
CreateCloudFrontDistribution: false
UserPoolArn: !Ref UserPoolArn
UserPoolClientId: !Ref UserPoolClient
HttpHeaders: |-
{
"Content-Security-Policy": "default-src 'self'; img-src 'self'; script-src 'self' https://code.jquery.com https://stackpath.bootstrapcdn.com; style-src 'self' 'unsafe-inline' https://stackpath.bootstrapcdn.com; object-src 'self'; connect-src 'self' https://*.amazonaws.com https://*.amazoncognito.com",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
"Referrer-Policy": "same-origin",
"X-XSS-Protection": "1; mode=block",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
}
CookieSettings: |-
{
"idToken": "Secure; SameSite=Lax",
"accessToken": "Secure; SameSite=Lax",
"refreshToken": "Secure; SameSite=Lax",
"nonce": "Secure; HttpOnly; Max-Age=300; SameSite=Lax"
}
We are deploying the code in two different environments (dev and prod) with the domain names “dev.mydomain.net” and “mydomain.net”. The issue we are facing is that the Auth cookies which are set for the prod environment are inherited by the dev environment which causes in a violation of max cookie size in our Web Application Firewall.
I believe this is due to the fact that the domain of the Cookies has a leading “.” causing the cookies to be applied to subdomains as well which is not the behavior I would expect. We will on short term fix it by changing our dev domain to something like mydomain-dev.net. However, we would be very grateful if we can get a configuration option to store the cookies under a domain without a leading “.”.
I think it should be enough to either change it in the function “withCookieDomain” or add an option to configure the domain:
function withCookieDomain(
distributionDomainName: string,
cookieSettings: string
) {
// Add the domain to the cookiesetting
if (cookieSettings.toLowerCase().indexOf("domain") === -1) {
// Add leading dot for compatibility with Amplify (or js-cookie really)
return `${cookieSettings}; Domain=.${distributionDomainName}`;
}
return cookieSettings;
}
Thanks in advance! Daniel
Issue Analytics
- State:
- Created 2 years ago
- Comments:10
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@ottokruse this was successul! Thanks a lot for your help. To wrap it up this is our working configuration:
Thanks I will try it. I also figured out now that the Cookie header works like you said but my browser actually adds the
..set-cookie header of the request: