0

I want to achieve user authentication and keep state with cookies between client and server.

Webapp runs with domain1, backend runs on domain2. I am having lots of trouble letting session cookies be exchanged back and forth between the web app (the browser) and the backend, because of the different domains.

I have to deal with CORS, SameSite, HTTPS/HTTP. I am actually stuck because in my local environment I am running the web app and backend on HTTP, which doesn't allow SameSite = none.

I ask you if what I want to do is achievable, and if not what are the other options.

Improve this question
4
  • Cookie settings like this become configuration. Simply do not deal with this on your local machine. Commented Jul 3, 2023 at 16:10
  • 1
    Make sure you have one origin for all requests. Host web app and web API on localhost under the same port, but different sub directories. Commented Jul 3, 2023 at 16:12
  • 1
    If you need a single signon that works with multiple domains, a central identity server is common, like this guy. Commented Jul 3, 2023 at 21:44
  • You can solve CORS, but you cannot rely on third-party cookies. There are exactly three ways to solve this: (1) don't use cookies for API auth but e.g. Authentication headers, (2) run both servers under the same domain (maybe different subdomains) so that cookies would be 1st-party, (3) force users to allow 3rd party cookies, which will become impossible soon (Chrome has announced deprecation but hasn't yet followed through). Commented Jul 4, 2023 at 6:14

2 Answers 2

Reset to default
0

To achieve user authentication and maintain state with cookies between a web app and a backend on different domains, you need to address the issues related to Cross-Origin Resource Sharing (CORS), SameSite, and HTTPS/HTTP. Here are some steps you can take to achieve this:

CORS Approach:
    On the backend (server) side, you need to set the following HTTP headers:
        Access-Control-Allow-Credentials - Set the value to true.
        Access-Control-Allow-Origin - Set this header to the specific domain that the web app is running on, including the scheme (e.g., https://domain1.com).
        Access-Control-Allow-Headers - Set this header to the necessary headers for the request (e.g., Content-Type, Authorization, x-csrf-token).
    Additionally, you should set the following cookie settings:
        SameSite=None
        Secure
    On the client-side, set the XMLHttpRequest.withCredentials flag to true:
        For ES6 fetch(), use credentials: 'include'.
        For jQuery 1.5.1, use xhrFields: { withCredentials: true }.
        For Axios, use withCredentials: true.

Proxy Approach:
    Instead of dealing with cross-site (CORS) issues, you can use a proxy to route all traffic to the same top-level domain name. This can be achieved using DNS (subdomain) and/or load balancing. Tools like Nginx can help with this approach.
    This approach aligns well with the JAMStack architecture, where the API and web app code are decoupled. By serving the API and web app on the same host, you can avoid the cross-site/CORS problems.
Improve this answer
3
  • I think this is only achievable through HTTPS communication since the cookie must be SECURE Commented Jul 7, 2023 at 7:37
  • Yes, some of this is only achievable in HTTPS, but the approach is basically the same. Commented Jul 7, 2023 at 21:32
  • Is this approach still recommended with browsers blocking third party cookies? Commented Mar 26 at 17:57
1

Yes it's achievable.

Javascript runs on domain1, logs in gets auth token, saves to cookie on domain1.

Javascript on domain1 wants to call domain2. Read the token from domain1 cookie. build request to domain2, set cookie manually on the request. send request.

But you are fighting the system. The cookies won't be sent automatically and you'll still have to setup https locally.

Improve this answer
3
  • Many thanks, what's your advice? What is the proper way to accomplish this? Commented Jul 3, 2023 at 21:39
  • 1
    send auth in an authentication header. don't use cookies Commented Jul 3, 2023 at 21:52
  • 1
    Do you mean this https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization? Commented Jul 3, 2023 at 22:20

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.