Home > Software design >  Persist Cookie from 3rd party API
Persist Cookie from 3rd party API

Time:01-03

I have an authentication API that adds a refresh token to a HTTP only cookie.

                Response.Cookies.Append("myRefresfToken", refreshToken, new Microsoft.AspNetCore.Http.CookieOptions
                {
                    SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None,
                    Expires = DateTime.UtcNow.AddDays(1),
                    HttpOnly = true,
                    Secure = false,
                    Domain = null,
                    Path = "/oauth/v2.0/Authorization/"
                });

When my site gets the response back from the Token endpoint the set-cookie header is there. However, when I look in the site with dev tools I cannot see the cookie being set. Also, when requests are made back to the auth API the refresh token cookie is not present.

How do I set a cookie from another api so that my client stores it?

Thank you,
Travis

CodePudding user response:

AVOID THIRD PARTY COOKIES

If you are using SameSite=none cookies you will also need to set Secure=true and use an SSL based setup. Generally though I would advise against building any new solution that uses third party cookies, which are aggressively dropped by modern browsers, and this is expected to only get stricter.

DESIGN FOR FIRST PARTY COOKIES

For an API to issue cookies that can be reliably used by a browser based app, there are hosting prerequisites these days. Aim for this type of setup, which all cloud providers support. Cookies then share the same parent domain, are not dropped and you will then also be able to use the most secure SameSite=strict cookies:

DEVELOPER TESTING

On a development computer you can simulate this by editing your hosts file:

127.0.0.1 www.example.com api.example.com
:1        localhost

You can then update apps to use URLs such as these. Note that different ports still count as Same Site, and that with the strict setting you can use HTTP URLs for local development. See if this resolves your immediate problem, then design your production deployments:

MODERN WEB ARCHITECTURE

Out of interest, the above concepts are part of an optimal Single Page Application architecture that we recommend at Curity, where an SPA can be deployed to a Content Delivery Network and use secure cookies issued by an API. If interested, see the Curity resources on this topic.

  • Related