Cross-Domain Cookies

Question

I have two webapps WebApp1 and WebApp2 in two different domains.

1. I am setting a cookie in WebApp1 in the HttpResponse.
2. How to read the same cookie fro

Answer 1

Cross-site cookies are allowed if:

1. the Set-Cookie response header includes SameSite=None; Secure as seen here and here
2. and your browser hasn't disabled 3rd-party cookies.*

Let's clarify a "domain" vs a "site"; I always find a quick reminder of "anatomy of a URL" helps me. In this URL https://example.com:8888/examples/index.html, remember these main parts (got from this paper):

• the "protocol": https://
• the "hostname/host": example.com
• the "port": 8888

The "path" part is:/examples/index.html. Notice the difference between "path" and "site".

path

Servers can set a Path attribute in the Set-Cookie, but it doesn't seem security related:

Note that path was intended for performance, not security. Web pages having the same origin still can access cookie via document.cookie even though the paths are mismatched.

site

The SameSite attribute, according to web.dev article, can restrict or allow cross-site cookies; but what is a "site"?

It's helpful to understand exactly what 'site' means here. The site is the combination of the domain suffix and the part of the domain just before it. For example, the www.web.dev domain is part of the web.dev site.

This means what's to the left of web.dev is a subdomain; yep, www is the subdomain (but the subdomain is a part of the host)

In this URL https://www.example.com:8888/examples/index.html, remember these parts:

• the "protocol": https://
• the "hostname" aka "host": example.com
• (in cases like "en.wikipedia.org", the entire "en.example.com" is also a hostname)
• the "port": 8888
• the "site": www.example.com
• the "domain": example.com
• the "subdomain": www

Useful links:

• https://web.dev/samesite-cookies-explained/
• https://jisajournal.springeropen.com/articles/10.1186/1869-0238-4-13
• https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-03
• https://inst.eecs.berkeley.edu/~cs261/fa17/scribe/web-security-1.pdf
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

(Be careful; I was testing my feature in Chrome Incognito tab; according to my chrome://settings/cookies; my settings were "Block third party cookies in Incognito", so I can't test Cross-site cookies in Incognito.)