Can't set a cross subdomain cookie in Django - django

I'm trying to use a subdomain cross site cookie with django but I cannot get it, I am in a valid subdomain but it doesn't seems to be useful.
Thie is my conf:
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_DOMAIN = '.ngrok.io'
This is the headers from the browser:
But I get the message:
This set-cookie domain attribute was invalid with regards to the current host url
How can I do to make it work?

As says in this answer there is a newer specification for cookies (RFC 6265). The old specification can let you share a cookie sent it from a subdomain "sub.domain.com" or "domain.com" with domain=.domain.com to share between domains and subdomains, but the newer specification can let you share by domain and subdomain only if you sent the cookie from "domain.com" with SameSite=None and domain=domain.com

Related

What are valid values for the domain attribute of a cookie?

I can't find any good source that exlains what valid values for the domain attribute of a cookie are when it gets set. They all just explain where cookies set for domain x are sent to. But I want to know
is www.example.com allowed to set a cookie with Domain example.com?
is example.com allowed to set a cookie with Domain www.example.com?
is www.example.com allowed to set a cookie with Domain www2.example.com?
is example.com allowed to set a cookie with Domain example.org?
is example.com allowed to set a cookie with Domain com?
Is https://publicsuffix.org/ relevant here for the site context?
Thx

Cookie behavior in Django

I've been doing some research on cookies in Django for some time now.
However, I don't understand the following.
The default setting in django for the SESSION_COOKIE_DOMAIN is None so the domain attribute will be empty.
Django sets the session cookie in the session middleware:
response.set_cookie(
# ...
domain=settings.SESSION_COOKIE_DOMAIN,
)
The set_cookie function from the response object has the following relevant part if the domain is None which is the default setting in Django:
if domain is not None:
self.cookies[key]['domain'] = domain
Therefore, I assume that the domain in the cookie header is omitted.
I've read this great article about cookies and user2864740 made a nice conclusion about it:
"When no domain is set in the cookie, the cookie should only match the exact host name of the request.
No sub domains, no partial matches.
This means simply not including the domain attribute – it is not valid to set an empty domain attribute."
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
2.) Let's assume I own the domain example.com
I don't modify the default settings from django so SESSION_COOKIE_DOMAIN is None
If I inspect the cookies for the domain example.com I see the following:
Name: sessionid
Value: XXXXXX
Host: example.com
I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
Is it basically the same if the cookie domain is example.com because it will produce the same behaviour as with a preceding dot?
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
1.) Why does the cookie still work if it's not valid to leave the domain attribute empty or did I missunderstood something here?
The code you just pointed to makes clear that no domain is set in the response; the key is simply not included. What would be invalid (more precisely, "undefined"), would be including the key Domain but leaving out an attribute value. Django doesn't do that.
2.) I thought setting a cookie domain without a preceding dot is invalid. Why does Django not use .example.com?
First, you have that backwards. RFC 6265 says that a leading dot "is not permitted" (though it will simply be ignored if it's there).
Secondly, the cookie details you've shown don't include a Domain key. "Host" is not a cookie attribute; that's presumably just Chrome telling you where the cookie came from.
3.) Did I understand it correctly that if I set a cookie on example.com (without www) the cookie will also be available on all subdomains and it's currently not possible to set a cookie only on the main domain that is not available on subdomains.
Right.

Accessing Cookies across Sub-domain

We have cookies added by the current website say www.example.com. Cookie domain of those cookies is one of the following when viewed in browser,
www.example.com (are also marked as HostOnly)
.example.com
.www.example.com
Now, we are creating a sub-domain say test.example.com and we need that sub-domain to have access to all the cookies added by www.example.com.
Please help in understanding which of the cookies will NOT be shared and why.
Also, another query regarding cookies is - HttpOnly. Will cookies marked as HttpOnly be not available across sub-domains?

Modifying cookie domain in Google Tag Manager from ".example.com" to "example.com"

on my website I have Google Tag Manager with a GA Universal Analytics Tag installed. All images on the site are on a dedicated subdomain: images.example.com
My issue is that Analytics sets its _ga cookie to ".example.com" so it is sent along with all requests to images.example.com. I would like to set the cookie domain to "example.com" (without the dot) so it does not apply to my image-only subdomain.
I have already set the "Cookie Domain" setting to a macro which is a constant with the value "domain.com" and even though the container is properly published the cookie domain remains ".example.com"
Do you guys have any hints on how I could change the cookie domain?
Use the cookie domain "none"
This will set a host-only cookie which will not be sent for all subdomains. Except in IE.
See the localhost example here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/domains

How to stop domain cookies being used for subdomains?

I have a setup with the following domains:
mydomain.com
www.mydomain.com
There is one problem (tested on Internet Explorer):
if some cookie is set for mydomain.com, this cookie is also effective for www.mydomain.com even if I set a cookie with the same name for www.mydomain.com.
More specific examople:
1) the user chooses his prefered language on website mydomain.com and I set the cookie usrlng=en
2) next day someone else uses the same computer, naviagtes to www.mydomain.com and chooses his language, and I set the usrlng=de. But Internet Explorer keeps sending both cookies usrlng=en and usrlng=de to the server (I see this in Fiddler)! Why is it sending the same cookie twice and not overriding 'usrlng' with the subdomain value?
At the same time I see that PHPSESSID is being overwritten correctly for the subdomain, there are no two PHPSESSID cookies being sent to the server.
How can I fix the usrlng cookie and make it work the same way as PHPSESSID works?
You can also set a different save_path for each... so they don't share the sessions.
PHP example:
$subdomain = array_shift(explode('.',$_SERVER['HTTP_HOST']));
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
ini_set('session.save_path','D:\website_sessions\'.$subdomain.'\');
PHP needs access to write in the sessions directory.
For now I solved the problem by setting the 'host' of the cookie instead of 'domain'; 'host' property allowed to limit the cookie to mydomain.com or www.mydomain.com.
Maybe that is the only way to go and 'domain' cannot be set up to oveeride top level domain cookies.