1

I have read that storing the jwt token within the httponly secure cookie is the recommended way to prevent both csrf attacks and xss attacks.

When a user goes to my website they may make an api call like so

POST mygatewayproxy.example/login-service/login

and the request is proxy to the loadbalancer

POST my-login-service-lb.example/login

and finally it hits my service

POST login-service-1.example/login

Can I set an httponly strict secure cookie within my service login-service-1 to a different domain value "mygatewayproxy.example"? My intent is to set the jwt token within the httponly cookie to be used later when making requests to other services.

If the above is possible can I then do the following

when a user goes makes a request to a different service

POST mygatewayproxy.example/different-service/req

and the request is proxy to the loadbalancer

POST different-service-lb.example/req

and finally it hits my service

POST different-service-1.example/req

Will different-service-1.example have access to the httponly cookie with the domain mygatewayproxy.example? Or put another way, will the browser send cookie to my different-service-1. I would like to verify that they are signed in and authorized but this is only possible if a cookie that was set in the login service is sent to this service.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
Dan
  • 13
  • 3
  • I don't really see a __security__ question here but only a __functionality__ question, i.e. how cookies work in this scenario and not if they are secure. Based on this it would be off-topic, but I'm not sure if stackoverflow.com or superuser.com would really be better places for this kind of question. – Steffen Ullrich May 29 '21 at 18:49
  • Please don't use potentially existing domain names which don't belong to you. Use the TLD `.example` instead which is specifically reserved for such purpose. See [RFC 2606](https://datatracker.ietf.org/doc/html/rfc2606). – Steffen Ullrich May 29 '21 at 18:53

1 Answers1

1

One cannot set a cookie to a different domain, except for a different subdomain.

But in your specific scenario the users browser only connects to mygatewayproxy.example and does not see any of the internal domains in the first place. This means the browser will only accept a cookie for mygatewayproxy.example or subdomain. If no domain is explicitly set on the cookie this current domain from the perspective of the browser will be implicitly used as cookie domain.

This also means that any cookie set by login-service-1.example will also be send to different-service-1.example since from the perspective of the browser all these domains are only visible as mygatewayproxy.example.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks you for clarifying! I guess my confusion was that the microservices services were on different domains, then the origin request's domain (to the gateway). I did not know it was possible to set a cookie within the microservice to the origin domain of the request the browser sent to the gateway. – Dan May 29 '21 at 19:33