Sunday, April 17, 2016

Why won't you take my cookie? Cover domain and public suffixes ...

Recently at work we were have issues with cookies while trying to setting up docker for a bunch of apps. 

We had five applications running on five docker containers. 

Container A: authentication back-end
Container B: authentication front-end 
Container C: app front-end
Container D: app back-end
Container E: nginx

We were expecting this flow:
  1. Navigate to docker.local 
  2. Authentication front-end loads on client with signup page
  3. Fill out signup form and submit
  4. Authentication back-end creates account, returns success response and sets a session cookie on client
  5. Client redirects to app front-end
  6. App front-end does a GET on a protected resource in app back-end, passes session cookie along
  7. App back-end authenticates with authentication back-end using session cookie from request and returns the protected resource
  8. App front-end loads the resource and renders the page
We ran into problems at step #4. The session cookie was never being set. We were not using a secure cookie or a httponly cookie. Every time we submitted the form, we got a 200 response from the authentication back-end server with a Set-Cookie header that attempted to set a cookie named session_id. However, every time we logged the client cookie information after the server response, it was missing the session_id cookie. 

After reading more about cookies, we learned that the problem had to do with the value of the cookie domain attribute value (also known as the cover domain). In our case, the cookies cover domain was set to .local. The purpose of the cover domain is security - it tells the browser client whether or not to set the cookie as well as whether it should send the cookie. The basic rule of thumb is that if the client domain matches the cover domain or is a subdomain of the cover domain, the cookie will be set / sent. 

The exception to this rule are public suffixes.

For most modern browsers, any top level domain is considered a public suffix. A public suffix is a domain that anyone can register a domain with (there is an official list). For example, ".com" is considered a public suffix. You can have "bob.com" and I can have "alan.com". Since all subdomain of a public suffix have different owners, it's not safe for cookies set by "bob.com" to be passed along to "alan.com". 

Since, ".local" is a top level domain, it is considered a public suffix. Therefore, the cookie is not set! We changed it to "docker.local" and that solved our issue. 


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)