Change cookie domain in HTTP::respond
My need is to redirect requests for https://foo.xxx.com/mfe to a new URL (different domain) and pass along a specific cookie (cookie name is avul_user). The redirect works and the cookie is sent, but the browser fails to load the site. Developer tools shows the message: "This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was invalid with regards to the current host url." Any ideas how to change the domain of the cookie and get the browser to accept it?
when HTTP_REQUEST {
if { [HTTP::path] equals "/mfe" } {
set avcookie "[HTTP::cookie value {avul_user}]"
set cookie [format "%s=%s; path=/; domain=%s" avul_user ${avcookie} ".yyy.com"]
HTTP::respond 302 Location "https://foo.yyy.com/web/login" "Set-Cookie" $cookie
}
}
When redirecting (and on cross-domain requests such as fetch()/XMLHttpRequest()) to third-party domains, the browser does not send cookies. Cookies are scoped to a specific domain (and possibly subdomains thereof), because it's a part of internet security, based on Cross-Origin Resourse Sharing (CORS).
Possible solutions for you case, their advantages/disadvantages and how to do it safely, are given on stackoverflow.