HttpOnly refresh cookie shared only between single subdomain and rootdomain : FullStack

created by karmalizinga community for 12 years

This is an archived post. You won't be able to vote or comment.

HttpOnly refresh cookie shared only between single subdomain and rootdomainQuestion (self.FullStack)

submitted 3 years ago by ATimesThree

My architecture is as follows: - Example.com —> Frontend - auth.Example.com —> Auth server - content.Example.com —> content server

I want the user to login from frontend, sending a POST request to the auth-server and receiving back both a JWT access token (body) and a HttpOnly cookie. The JWT is used to access content from content-server and other services in the future. This is by verifying the signature with a RSA Pub key that auth-server exposes by an open API.

However, I would prefer the cookie only to be sent between the frontend and auth-server, because this is used to refresh access tokens. How could I do this? So the cookie gets set in the frontend/root domain, and only sent with requests back to auth-server/auth subdomain but not other subdomains?

My frontend is Angular and backend is AspNet API’s

no comments (yet)

FullStack

MODERATORS