Skip to content

Is there a way to have the Identity Library cookies be tied to the root domain? #58076

Answered by josephdecock
DavidThielen asked this question in Q&A
Discussion options

You must be logged in to vote

There's a security risk that you should be aware of, which is that if you set the cookie domain to be the parent domain, browsers will send the cookies to ALL subdomains. The risk is that if some other subdomain is hacked, browsers will send session cookies to the attacker - imagine if you're running app1.example.com and app2.example.com, but there's also crappy-word-press-site.example.com that was set up by some marketing team 7 years ago, forgotten about, has never received any security patches and is now taken over by an attacker. Now if a user is logged on and goes to the vulnerable site, their session cookie will be disclosed to the attacker.

A better solution is to use a protocol th…

Replies: 1 comment 2 replies

Comment options

You must be logged in to vote
2 replies
@DavidThielen
Comment options

@josephdecock
Comment options

Answer selected by DavidThielen
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
2 participants