Share a cookie between two websites

Question

I have built a website (A) which logs in to and retrieves customer data from a separate web service.

The organisation that owns (A) also has a website (B) which has

Answer 1

You mentioned the same company owns both sites. As you suspected, if the sites have the same domain like www.mycompany.com and store.mycompany.com, then they can share cookies. The HTTP response header would look something like this:

Set-Cookie: user_id=1295214458; Path=/; Domain=.mycompany.com

Since the client has direct access to this data, you should also include a signature so tampering would be detected. Usually the whole thing is encrypted and signed into a "token", and that is set as the cookie. But technically, just the signature is required.