I'm currently managing two websites: admin.domain.com and shop.domain.com. I need to send a Boolean value to indicate whether a request comes from the admin or shop site. Right now, I have a cookie that is accessible by both subdomains, since I'm setting the cookie's domain to .domain.com. However, when I try to set the cookie specifically for admin.domain.com, it doesn't get saved. I want to ensure that cookies sent from admin are not accessible to shop and vice versa. I'm using express.js for this, and any help would be greatly appreciated!
2 Answers
While you're figuring this out, check out this article on security and cookies with subdomains. It discusses cookie tossing, which could save you from some potential headaches in the future.
Instead of relying on cookies, why not read the hostname directly from the HTTP request? It can help you identify the origin of the request without going through the cookie setup.
I was working on these sites locally, so both hostnames were set to localhost, which made it tricky. I wanted something reliable to tell where the request came from. How exactly would checking the hostname help me to manage cookies separately?
I read the part where it says that cookies set for admin.domain.com apply to that subdomain and its subdomains. So, why can't I save a cookie just for admin.domain.com when I try to set it that way?