I'm developing a SaaS platform that will operate across several domains, such as saas.domainA.com, saas.domainB.com, and saas.domainC.com. The API endpoint for all these domains will be api.saas.com. A few years back, this setup wasn't an issue, but I've noticed that some browsers, like Firefox, now block third-party cookies by default. If a user visits saas.domainA.com and an API call is made to api.saas.com where a cookie is set, will this cookie be ignored by the browser? Are all browsers implementing systems like CHIPS on Chrome so I can manage authentication through cookies without hassle?
4 Answers
Currently, Chrome is the only major browser that still allows third-party cookies by default since it relies on data tracking. So, it’s best not to depend on third-party cookies at all. Instead, consider using JWTs or similar methods to authenticate directly with your API calls.
Have you looked into OpenID Connect (OIDC)? It might offer a more secure way to handle authentication without relying solely on cookies.
Managing multiple domains in a SaaS setup complicates things with third-party cookies. If your product needs them, some users might have them turned off and will face issues using your service unless they change their settings. Instead, consider using HTTP headers to replicate session cookie functionality if both client and server can agree on a standard.
Why not create aliases for your API? For example, using saas.domainA.com and api.saas.domainA.com could allow you to share cookies between them.
Related Questions
How to Build a Custom GPT Journalist That Posts Directly to WordPress
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads