Issue
I have this return statment in my backend code:
return res
.status(200)
.cookie("auth_token", token, {
httpOnly: false,
domain: "domain.com",
secure: true,
expires: new Date(Date.now() + (6 * 60 * 60 * 1000))
})
.send({
data: token,
code: "100",
message: `AUTHENTICATION SUCCESS. IP: ${clientIP}, Geo: ${location}, Info: ${
(app, os)
}`,
});
which saves a JWT token on domain domain.com, I'd like this to also work with domain2.com, for example, as my authentication system is now used for multiple sites and it runs off of a different domain to domain2.com.
A user goes on site domain.com and that site checks if a auth-token cookie is present, if not it should redirect to a completely different domain auth.domain2.com. This is where the user authenticates; once they have autenticated themselves the above return statment should save the cookie in their browser for ideally domain.com and domain2.com. After, they are redirected back to domain.com for it to then check if the auth-token cookie is present once again, if so, check it's valid, and then allow the user in.
I have tried to just save the cookie for the domain thats not the domain the autenticated code is run on (the code above for example): domain: "domain.com" to domain: "domain2.com" it still will not work/save the cookie for that domain.
Is this possible? If not what are the workarounds?
Solution
Cookies from one domain cannot be accessed from another domain, but this is actually not necessary.
The logon flow that you describe implies for me that you need two cookies:
- User visits
domain.comand a logon flow starts with a redirection toauth.domain2.com. - User posts their credentials to
auth.domain2.comand receives a response that- sets a cookie A for domain
auth.domain2.comand - redirects the browser back to
domain.com(with a SAML response or a JWT or an authorization code or something that indicates that the user has successfully logged on).
- sets a cookie A for domain
- In response to the request
domain.com?SAMLResponse=..., the browser receives a cookie B (a JWT namedauth_tokenin your case) for domaindomain.com.
After that, every request that the browser makes to domain.com contains cookie B, which therefore establishes a session with domain.com.
If the user later visits domain3.com (or returns to domain.com after having logged off), a second logon flow to auth.domain2.com is started, but this time, the request to auth.domain2.com contains cookie A. Therefore, auth.domain2.com immediately redirects the browser back to domain3.com, without asking for credentials in step #2 above.
In other words: Cookie A establishes a session with auth.domain2.com, and cookie B establishes a session with domain.com. (And a third cookie C establishes a session with domain3.com in step #3 of the second logon flow.)
This should fulfil your requirements.
Answered By - Heiko Theißen Answer Checked By - David Goodson (PHPFixing Volunteer)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.