cookies – Cookie and sharing across subdomains?

Question:

I have a website with the following address http://www.mysite.com.br that in the programming is created some cookies for settings and even information with encrypted data. Now a subdomain was created with the following address http://api.mysite.com.br for a new site and I ended up noticing that there is sharing of the same cookies and even access to the keys created where the applications run on the same server.

I ask:


  1. Is there really cookie sharing between application and its subdomains?
  2. What are the good points?
  3. What are the downsides?
  4. Overall is there any better technique for sharing domain information to subdomains

Answer:

Depending on the application it can be a problem to share cookies between different subdomains, also because you have informed that the cookies even contain encrypted data. I would create a tab in the BD and put the following fields on it:

  1. Session cookie (Ex: PHPSESSID)
  2. Subdomains where data will be visible.
  3. Encrypted data.

In this way, you can create a method that checks the session cookie, the user's current subdomain and checks the DB if he has access to the encrypted data. This would protect the encrypted data and only release it if the session cookie matches the subdomain. Another alternative might be to take advantage of the flexibility of sessionStorage(), but they are not as secure as this DB technique either.

Scroll to Top