Trying to use CORS and XSRF on different domains

Question

I have a frontend and a backend app. They are in different domains (subdomain). The frontend app does a first request (GET) to get some server-side information, basically session_id and XSRF-TOKEN cookies.

The situation is:

myapp.com cookies: _session_id api.myapp.com cookies: XSRF-TOKEN

So, my frontend app gets the _session_id cookie but it doesn't get the XSRF-TOKEN. When I try to get the XSRF-TOKEN to put it on the header like X-XSRF-TOKEN it isn't possible because they're different domains.

Any good soul to help me? Thanks in advance.

score 1 · Answer 1 · edited May 23 '17 at 11:49

1

You'll want to consider the following: Share session (cookies) between subdomains in Rails?

#config/initializers/session_store.rb
YourApp::Application.config.session_store :cookie_store, key: '_yourapp_session', domain: :all, tld_length: 2

edited May 23 '17 at 11:49

Community

1
1

answered Sep 02 '14 at 11:26

Richard Peck

74,781
9
90
142

score 0 · Answer 2 · answered Sep 02 '14 at 12:54

0

Looking a little bit further at rails I just needed to share the cookies between the subdomains like this:

cookies['XSRF-TOKEN'] = { value: form_authenticity_token, domain: '.myapp.com'}

answered Sep 02 '14 at 12:54

armoucar

388
3
14

Trying to use CORS and XSRF on different domains

2 Answers2