Implementing Cross-Domain Cookie Handling for Seamless API Integration

Albin Issac
Tech Learnings
Published in
6 min readJun 28, 2024

--

When working with an application that integrates with external applications and APIs on different domains, maintaining a shared state, such as authentication, can be challenging due to browser restrictions on cross-domain cookies. While data can be shared using browser local/session storage and cookies can be set client-side, these approaches increase the risk of XSS attacks. Using Secure and HttpOnly cookies provides more security, as these cookies can only be managed through the backend and are seamlessly sent on every same-origin request. This post discusses the approach to making cookies set by an API running on a different domain available to the application’s domain in the browser.

Scenario:

The application runs on https://test.mydomain.com:8080 invokes an API at https://test.api.com:8081 from the client side. The API sets a cookie that should be available for test.mydomain.com. Additionally, all subsequent requests to https://test.mydomain.com or any subdomains on mydomain.com should include the cookie to maintain the state.

Problem:

In a cross-domain context, the request to the https://test.api.com:8081 API service cannot set the cookie for test.mydomain.com or the root domain.mydomain.com due to browser cross-domain restrictions. The browser rejects the cookie in this scenario.

Solution:

--

--

Tech Learnings
Tech Learnings

Published in Tech Learnings

Everything about Tech learnings — Coding,Design, tutorials and more learnings

Albin Issac
Albin Issac

Written by Albin Issac

I work as a Software Architect specializing in Marketing Technologies. For more information, please visit my profile at: https://myprofile.albinsblog.com/