2

I have an AWS Lambda, hosted on domain b.example.com, that sends a 302 redirect response to location a.example.com with a set-cookie header for Domain=example.com.

headers: {
  "location": [{ key: "Location", value: 'a.example.com'}],
  "set-cookie": [{
    key: "Set-Cookie",
    value: `cookie.name=cookie-value; Domain=example.com; Max-Age=${maxAge}; SameSite=Strict; Secure; HttpOnly`
  }]
},
status: "302",
statusDescription: "redirect"

Browser saves the cookie (not rejected), but does not send the cookie with request header, when it request for b.example.com. It only sends the cookie if I set SameSite=Lax. The question is, does SameSite=Strict not work for subdomains? Is the only way to make it work is to use the Lax mode?

Additional Details

I tried to replicate the same scenario locally (w/o AWS) with 2 trivial express.js apps. One writes the cookie in response and the other reads it.

// generator
app.get('/', (req, res) => {
    res.cookie('cookie-name', 'cookie-value', {
        domain: 'example.com',
        httpOnly: true,
        path: '/',
        sameSite: 'Strict',
        secure: true
    });
    res.redirect('https://b.example.com:3001');
});

// reader
app.get('/', (req, res) => {
    res.send(`cookies in req ${JSON.stringify(req.cookies)}`);
});

These are also 2 separate apps hosted on https://a.example.com, and https://b.example.com with self signed certs and all. Both the subdomains points to 127.0.0.1. And with this the same thing works w/o any hiccup.

Is there any reason for this discrepancy?

4

0 回答 0