I am updating the authorization process on an old Symfony REST API / AngularJS App combo.
On authentication, the server provides cookies, containing a couple of token to be stored on the browser so that they are added as headers in subsequent requests - pretty standard - but the cookies headers are not being included in the following requests since the deployment to my test server.
Everything works fine in local, so I assume I am missing some security config somewhere in my request/response headers.
A few notes:
- The API and the app are are on the same domain but different sub domains
- Both of the subdomains use HTTPS
- mydomain.com is not in the public suffix list
- The cookie
secureflag is setSameSiteoption is set tostrictpathoption setdomainoption set tomydomain.com. If I understand correctly, it should allow the cookies to be set for all mydomain.com subdomains.
- Requests include the
withcredentialsheader - Responses include the
access-control-allow-credentialheader
In the DevTools, this is what the login request looks like:
General----------Request URL: https://subdomain1.mydomain.com/loginRequest Method: GETStatus Code: 200 Remote Address: xxx.xxx.xxx.xxx:xxxReferrer Policy: strict-origin-when-cross-originResponse Headers----------access-control-allow-credentials: trueaccess-control-allow-origin: https://subdomain2.mydomain.comcache-control: private, must-revalidatecontent-encoding: brcontent-type: application/jsondate: Sat, 04 Mar 2023 01:39:21 GMTexpires: -1host-header: 6b7412fb82ca5edfd0917e3957f05d89pragma: no-cacheserver: nginxset-cookie: BEARER=<JWT_TOKEN>; expires=Sat, 04-Mar-2023 02:39:21 GMT; Max-Age=3600; path=/; domain=mydomain.com; secure; httponly; samesite=strictset-cookie: refresh_token=<REFRESH_TOKEN>; expires=Mon, 03-Apr-2023 01:39:21 GMT; Max-Age=2592000; path=/token; domain=mydomain.com; secure; httponly; samesite=strictvary: Accept-Encodingvary: Authorizationx-httpd: 1x-proxy-cache: MISSx-proxy-cache-info: 0 NC:000000 UP:SKIP_CACHE_SET_COOKIEx-robots-tag: noindexRequest Headers----------:authority: subdomain1.mydomain.com:method: GET:path: /login:scheme: httpsaccept: application/json, text/plain, */*accept-encoding: gzip, deflate, braccept-language: en-CA,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-GB;q=0.6,en-US;q=0.5authorization: <ACCESS TOKEN>cache-control: no-cacheorigin: https://subdomain2.mydomain.compragma: no-cachereferer: https://subdomain2.mydomain.com/sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-dest: emptysec-fetch-mode: corssec-fetch-site: same-siteuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36withcredentials: trueI read dozen of other questions with the same kind of problem but I still can't figure out where I am messing up. Some help would be greatly appreciated.