I have an AWS Lambda, hosted on domain b.example.com
, that sends a 302 redirect response to location a.example.com
with a set-cookie
header for Domain=example.com
.
headers: {
"location": [{ key: "Location", value: 'a.example.com'}],
"set-cookie": [{
key: "Set-Cookie",
value: `cookie.name=cookie-value; Domain=example.com; Max-Age=${maxAge}; SameSite=Strict; Secure; HttpOnly`
}]
},
status: "302",
statusDescription: "redirect"
Browser saves the cookie (not rejected), but does not send the cookie with request header, when it request for b.example.com
. It only sends the cookie if I set SameSite=Lax
. The question is, does SameSite=Strict
not work for subdomains? Is the only way to make it work is to use the Lax
mode?
Additional Details
I tried to replicate the same scenario locally (w/o AWS) with 2 trivial express.js
apps. One writes the cookie in response and the other reads it.
// generator
app.get('/', (req, res) => {
res.cookie('cookie-name', 'cookie-value', {
domain: 'example.com',
httpOnly: true,
path: '/',
sameSite: 'Strict',
secure: true
});
res.redirect('https://b.example.com:3001');
});
// reader
app.get('/', (req, res) => {
res.send(`cookies in req ${JSON.stringify(req.cookies)}`);
});
These are also 2 separate apps hosted on https://a.example.com
, and https://b.example.com
with self signed certs and all. Both the subdomains points to 127.0.0.1. And with this the same thing works w/o any hiccup.
Is there any reason for this discrepancy?